Python for Cybersecurity E-Book

Table of Contents

Cover

Title Page

Introduction

How This Book Is Organized

Tools You Will Need

From Here

CHAPTER 1: Fulfilling Pre-ATT&CK Objectives

Active Scanning

Search Open Technical Databases

Summary

Suggested Exercises

CHAPTER 2: Gaining Initial Access

Valid Accounts

Replication Through Removable Media

Summary

Suggested Exercises

CHAPTER 3: Achieving Code Execution

Windows Management Instrumentation

Scheduled Task/Job

Summary

Suggested Exercises

CHAPTER 4: Maintaining Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Summary

Suggested Exercises

CHAPTER 5: Performing Privilege Escalation

Boot or Logon Initialization Scripts

Hijack Execution Flow

Summary

Suggested Exercises

CHAPTER 6: Evading Defenses

Impair Defenses

Hide Artifacts

Summary

Suggested Exercises

CHAPTER 7: Accessing Credentials

Credentials from Password Stores

Network Sniffing

Summary

Suggested Exercises

CHAPTER 8: Performing Discovery

Account Discovery

File and Directory Discovery

Summary

Suggested Exercises

CHAPTER 9: Moving Laterally

Remote Services

Use Alternative Authentication Material

Summary

Suggested Exercises

CHAPTER 10: Collecting Intelligence

Clipboard Data

Email Collection

Summary

Suggested Exercises

CHAPTER 11: Implementing Command and Control

Encrypted Channel

Protocol Tunneling

Summary

Suggested Exercises

CHAPTER 12: Exfiltrating Data

Alternative Protocols

Non-Application Layer Protocols

Summary

Suggested Exercises

CHAPTER 13: Achieving Impact

Data Encrypted for Impact

Account Access Removal

Summary

Suggested Exercises

Index

Copyright

Dedication

About the Author

Acknowledgments

About the Technical Editor

End User License Agreement

List of Tables

Chapter 1

Table 1.1:

DNSExplorer

Default Hosts

Chapter 2

Table 2.1: Windows Logon Types

Chapter 6

Table 6.1: Windows Service Start Codes

List of Illustrations

Chapter 1

Figure 1.1: MITRE Pre-ATT&CK

Figure 1.2: SYN scan in Wireshark

Chapter 2

Figure 2.1: MITRE ATT&CK: Initial Access

Figure 2.2: Sample Telnet authentication

Figure 2.3: Sample Windows Event log

Figure 2.4: Failed login attempt

Figure 2.5: USB directory

Chapter 3

Figure 3.1: MITRE ATT&CK: Execution

Figure 3.2: Sample WMI Event log entry

Figure 3.3: WMI log entry XML

Chapter 4

Figure 4.1: MITRE ATT&CK: Persistence

Figure 4.2: Windows Registry

Figure 4.3: Example Autorun keys

Figure 4.4:

HKEY_USERS

Registry hive

Figure 4.5: Edited Autorun key

Figure 4.6: Modified path value

Figure 4.7: Local Security Policy dialog

Figure 4.8: Permissions dialog

Figure 4.9: Advanced Security Setting dialog

Figure 4.10: Edited Registry value event

Chapter 5

Figure 5.1: MITRE ATT&CK: Privilege Escalation

Chapter 6

Figure 6.1: MITRE ATT&CK: Defense Evasion

Figure 6.2: Malwarebytes service Registry key

Chapter 7

Figure 7.1: MITRE ATT&CK: Credential Access

Figure 7.2: Local State Properties dialog

Figure 7.3: Advanced Security Settings dialog

Figure 7.4: Sample file auditing entry

Figure 7.5: Sample auditing event

Figure 7.6: Sample FTP packet in Wireshark

Figure 7.7: Sample SMTP conversation in Wireshark

Figure 7.8: Sample Telnet conversation in Wireshark

Figure 7.9: FTP connection with fake credentials

Chapter 8

Figure 8.1: MITRE ATT&CK: Discovery

Figure 8.2: Sample special logon event

Chapter 9

Figure 9.1: MITRE ATT&CK: Lateral Movement

Figure 9.2: SMB file create in Wireshark

Figure 9.3: SMB authentication in Wireshark

Chapter 10

Figure 10.1: MITRE ATT&CK: Collection

Chapter 11

Figure 11.1: MITRE ATT&CK: Command and Control

Chapter 12

Figure 12.1: MITRE ATT&CK: Exfiltration

Figure 12.2: ICMP packet

Figure 12.3: Non-application server output

Chapter 13

Figure 13.1: MITRE ATT&CK: Impact

Figure 13.2: Password change event

Guide

Cover

Title Page

Copyright

Dedication

About the Author

About the Technical Editor

Introduction

Table of Contents

Begin Reading

Index

End User License Agreement

Pages

i

xvii

xviii

xix

xx

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

157

158

159

160

161

162

163

164

165

166

167

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

ii

iii

iv

v

221

Python® for Cybersecurity

Using Python for Cyber Offense and Defense

Howard E. Poston III

Introduction

This book is all about how to use Python for cybersecurity. Before we dive into that, let's take a moment to talk about the “why” of Python for cybersecurity.

A good starting point is answering the question “Why use automation?” If you're already in the cybersecurity field, you probably know that automation is your friend.

If you're just entering the field, consider how hard it is to keep one of your less tech-savvy relatives or friends from installing malware on their phone or falling for a phishing email. Now, scale that up to hundreds or thousands of people. Add in the fact that attackers are actually motivated to target your organization, and a single successful attack could cost the company millions of dollars. Managing cyber risk includes preventing malware infections, detecting and remediating ongoing attacks, ensuring compliance with corporate security policies, and more. By helping to handle some of this for you, automation is your friend.

So, given that automation is necessary in cybersecurity, why use Python? Python has a few features that make it a good choice, including the following:

It's popular:

There's a decent chance that you already know some Python. It's a lot easier to learn new ways to use a language that you know than to learn a new language from scratch. In 2021, Python was the second most popular language on the TIOBE index (

https://www.tiobe.com/tiobe-index/

) and was quickly overtaking C.

It's easy:

For those of you who don't know Python, it's pretty quick and easy to pick up. This is helpful for both learning and dashing out a program quickly.

It's powerful:

Python has many powerful libraries that can be easily imported into your code. If you want to do anything with network traffic, it's a lot easier to use

scapy

than to try to do it from scratch.

How This Book Is Organized

This book is organized based on the MITRE ATT&CK framework. The MITRE ATT&CK framework is a tool produced by the MITRE Corporation to build understanding of how a cyberattack works. It takes the lifecycle of a cyberattack and breaks it into objectives that the attacker may need to achieve on the way to their final goal. For each of these objectives, MITRE ATT&CK describes various ways in which they can be accomplished.

Tactics and Techniques

The MITRE ATT&CK framework is organized as a hierarchy. At the top level of this hierarchy are the MITRE tactics, which describe the goals that an attacker may want to achieve during a cyberattack. These tactics include the following:

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

For each of these tactics, MITRE ATT&CK outlines several techniques and subtechniques that describe specific methods of achieving these goals. For example, an attacker could use Brute Force (https://attack.mitre.org/tactics/TA0006/) or Network Sniffing (https://attack.mitre.org/techniques/T1110/) to achieve Credential Access (https://attack.mitre.org/techniques/T1040/). Each of these techniques and subtechniques has its own page describing how the attack is performed, how it can be detected, and more.

This book is structured around the MITRE ATT&CK framework. Each tactic will have its own chapter (except for the first two, which are combined into MITRE Pre-ATT&CK).

Each of these chapters explores two of the techniques from its tactic and how they can be implemented in Python. Each of these offensive sections will be paired with a defensive section demonstrating how Python can also be used to defeat these attack vectors.

Why MITRE ATT&CK?

The goal of this book is to demonstrate how Python can be used to address cybersecurity use cases. To that end, it is helpful to have a clear framework that outlines different offensive and defensive cybersecurity tasks.

MITRE ATT&CK provides that framework with its hierarchy of tactics and techniques that describe the various objectives of a cyberattack and how to achieve them. This book draws offensive techniques from each of the MITRE ATT&CK tactics and demonstrates how they and defensive countermeasures can be implemented using Python.

Beyond this structure, MITRE ATT&CK is also useful because it provides a wealth of additional resources and room to grow. Each technique includes in-depth information about how the attack works and how to defend against it. MITRE ATT&CK also describes hundreds of techniques not covered in this book, providing numerous opportunities to apply Python to new use cases.

Tools You Will Need

This book is designed to demonstrate how to use Python to solve various use cases. If you don't have Python open and aren't running the code, then you're doing it wrong.

Setting Up Python

The code samples included with this book were written for version 3.9 of Python. If you are using an earlier version of Python or, if by the time you are reading this, Python has advanced so far as to break backwards compatibility, then the code samples may not work for you.

To download the latest version of Python, we recommend visiting https://www.python.org/downloads/. From there, you can download and install the appropriate version for your system. Also, install pip and ensure that Python 3 is the default Python on the system by removing Python 2.X, installing a package like python-is-python3, or creating an alias for the python and pip commands.

Most of the sample code included in this book will run on either Windows or *nix systems. However, some examples do include platform-specific functionality, such as access to Windows log files. In these cases, we recommend using a virtual machine, such as VirtualBox (https://www.virtualbox.org/wiki/Downloads) or VMware Workstation (https://www.vmware.com/products/workstation-player.html), if you don't own a computer with the necessary OS.

Accessing Code Samples

Each chapter of this book will include at least four Python code files. Depending on the exercise, additional code or files may be included as well.

These code samples are available at https://www.wiley.com/go/pythonforcybersecurity on the Download Code tab. The code samples are available in ZIP files labeled with the chapter number. Before beginning a chapter, download the appropriate file and extract its contents.

These code samples may be updated over time to maintain compatibility with current Python versions and libraries and operating system internals (such as how Windows organizes its Registry and Event logs). If this occurs, the downloadable code samples may not exactly match the sample code in the text.

Installing Packages

One of the main benefits of Python for cybersecurity is the wide range of libraries that it provides. Many of the code samples included with this book require packages that are not shipped as part of the core Python distribution.

From the Download Code tab at https://www.wiley.com/go/pythonforcybersecurity, download the ZIP file for this chapter. This includes a file named requirements.txt, which lists the Python libraries that are used within this book.

To install these packages, run the command python -m pip install -r requirements.txt in the directory where you have saved this file. If the command completes successfully, then all required packages will be downloaded and installed on your computer.

From Here

Python is a popular, easy-to-use, and powerful programming language, making it an ideal choice for cybersecurity automation. This book demonstrates how Python can be applied to various offensive and defensive cybersecurity use cases from the MITRE ATT&CK framework.

This book is designed to be interactive with code samples included for each chapter. Before moving on to the next chapter, be sure to install Python and the required Python libraries on your computer.