You're reading from Cybersecurity Attacks ‚Äì Red Team Strategies A practical guide to building a penetration testing program having homefield advantage

Product type Paperback

Published in Mar 2020

Publisher Packt

ISBN-13 9781838828868

Length 524 pages

Edition 1st Edition

Tools

Neo4j

Concepts

Cybersecurity

Author (1):

Johann Rehberger

View More author details

Table of Contents (17) Chapters

Preface

1. Section 1: Embracing the Red

2. Chapter 1: Establishing an Offensive Security Program FREE CHAPTER

3. Chapter 2: Managing an Offensive Security Team

4. Chapter 3: Measuring an Offensive Security Program

5. Chapter 4: Progressive Red Teaming Operations

6. Section 2: Tactics and Techniques

7. Chapter 5: Situational Awareness – Mapping Out the Homefield Using Graph Databases

8. Chapter 6: Building a Comprehensive Knowledge Graph

9. Chapter 7: Hunting for Credentials

10. Chapter 8: Advanced Credential Hunting

11. Chapter 9: Powerful Automation

12. Chapter 10: Protecting the Pen Tester

13. Chapter 11: Traps, Deceptions, and Honeypots

14. Chapter 12: Blue Team Tactics for the Red Team

15. Assessments

16. Another Book You May Enjoy

Leave a review - let other readers know what you think

Understanding and using Windows Audit ACLs

On Windows, a good way to implement canary tokens and decoy files is via Audit ACLs. In Windows, every object can have a security descriptor, and there is even a language called the security descriptor definition language (SDDL) that articulates them.

The security descriptor basically contains a discretionary access control list (DACL) and an optional SACL. The former contains various Access Control Entries (ACEs) that contain information such as which account/group owns the resource and which account can read, write, and modify a particular resource.

The SACL (which is the lesser known aspect of the security descriptor) can be used for auditing purposes. This is an ACL that allows us to monitor an object for access. Using SACLs is perfect for sentinel objects and honeytokens. This is what we are going to do next.