🙍🏼 🔒 💅🏻 Getting ready for The Standoff 2021, or Back to the Future 👊🏿 👊🏼 📛

What would you do if you had a time machine? We will not be responsible for everyone, but we can assume that the teams of attackers, defenders and SOCs, as well as other participants of The Standoff 2021 , would not mind to be transported to the upcoming battle and see how events will unfold on the world's largest open cyber polygon, when and where the fun will happen and who will win the battle.

There is very little left before The Standoff (and the international cybersecurity forum " Positive Hack Days 10: The Beginning ") - new cyber training will start on May 18 and will last 4 days non-stop. All tickets have already been sold BUT don't be discouraged . Anyone will be able to follow the cyber battle live on The Standoff from the very morning (add it to your bookmarks so as not to forget). There you can also listen to all reports from PHDays - the full program of the forum is here .

We will not be able to build a time machine so quickly, as well as to know in advance what hackers will be able to hack and how the defenders will repel attacks, but we suggest remembering how this happened in the last cyber battle. This is a great way to refresh your impressions and pump your skills before the upcoming confrontation. All the most important from the six-day cyber training The Standoff 2020 is below.

Briefly about The Standoff and its results

From 12 to 17 November, large-scale cyber training took place at The Standoff training ground . Within the framework of the competition, 29 attacking teams and 6 defensive teams fought. For this massive cyber battle, a digital twin of an entire city was created. In this metropolis, images of transport, industrial, energy infrastructure, a business center and even a bank were presented.

Heavy Ship Logistics — , , ;
25 Hours — , , ;
Tube — , , , ;
Big Bro Group — (, );
Nuft — , ;
Bank of FF — .

- , , , . . .


«» .	, .
.	.
	.

The Standoff 47 . , , , , . ; , - , , .

- , , . , , — . , . , ?

. — next-generation firewalls, application firewalls, security information and event management, network traffic analysis . , , - RBK.money. PT Expert Security Center MaxPatrol SIEM, PT Network Attack Discovery, PT Application Firewall, PT SandBox PT ISIM.

The Standoff Codeby, 27 123 . back2oaz, 24 463 . DeteAct (18 508 ).

, IZ:SOC, m6q9 . CT&MM.

, , .

1.

The Standoff , . 9 19 . . , . , . 20 n0x , Nuft. student , PHP-. -, .

, , , , , .

88 . , (40%) SQL- (27%).

2 50 back2oaz Nuft. . , 445, Metasploit Framework .

Figure 1. Choosing a local administrator password — 1.

, Incognito , , .

Incognito , .

, . , , , .

2 3.

13 n0x SPbCTF - F .

, - , , , , . , , : , - .

CT&MM. PHP 7, , — CVE-2019-11043. -, . n0x - –— . . , price. , .

Nuft. back2oaz , . , , . , , , , . , . ScadaShare. bmc-tools, RDP-, . , , SCADA- — Rapid SCADA — .

back2oaz, , , . , , . Nuft 445/TCP . . , , FactoryTalk View, .

Figure 2. Calling lsass.exe to get credentials — 2. lsass.exe

, back2oaz, , n0x, Codeby Antichat Nuft. Antichat n0x , seafile. , n0x Antichat SharpHound, , , , .

Figure 3. The moment when the SharpHound utility was started, detected by MaxPatrol SIEM — 3. SharpHound, MaxPatrol SIEM

, , seafile, , . nuft\atpservice, . PsExec . DCSync, .

Figure 4. DCSync Attack Recorded by PT NAD — 4. DCSync, PT NAD

Hack.ERS -, F. , (GDPR) , . - DeteAct . , , , .

-, , . . . , POST- , , URL- . , SCS, , price .

DeteAct - Bank of FF — . : . . , , . PAN. card2account, CVV-, PAN .

Figure 5. Successful translation (PT NAD interface) — 5. ( PT NAD)

SPbCTF Tube, .

56 . 9 . TA0002 Execution TA0003 Persistence: .

13 14 18 -, 12 . , Big Bro Group (: ).

4 5. : ,

- 27 , 146 , 115 .

Bank of FF : SPbCTF . , OWA, . The Standoff : .

Figure 7. Phishing letter addressed to a bank employee — 7. ,

, Evilbunnywrote , F.

15 — . 15 16 Tube Big Bro Group .

, , . back2oaz « ». , . , ! . 25 Hours nmap, . - , . back2oaz . Microsoft SQL. sa MS SQL Server. , back2oaz MS SQL Server xp_cmdshell. , - . kek.exe.

Figure 8. Downloading the malicious kek.exe file — 8. kek.exe

back2oaz , SCADA-, . , standoff_shell_x64. SCADA-.

Figure 9. Alert from PT NAD about loading standoff_shell_x64 shell — 9. PT NAD standoff_shell_x64

Back2oaz SCADA-. admin, . Windows RDP.

RDP , back2oaz . . , , , .

25 Hours : , , - . ( ) -: , - .

TSARKA - Tube. . -. - , - : recoverPass, . id recoverPass. , recoverPass 1-2 , . .

, , .

, , « Nuft», . Hack.ERS . , back2oaz Codeby, , .

Heavy Ship Logistics, , , . DeteAct Codeby , TSARKA .

6.

: Big Bro Group. ERP- . Hack.ERS. , . , , CVE-2017-3167. , , , — . , CVE-2017-3167, Hack.ERS . Cisco ASA , , . password spraying , ping. ERP-. Hack.ERS PostgreSQL .