product iamge

Python for Cybersecurity: Using Python for Cyber Offense and Defense

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Discover an up-to-date and authoritative exploration of Python cybersecurity strategies

Python For Cybersecurity: Using Python for Cyber Offense and Defense delivers an intuitive and hands-on explanation of using Python for cybersecurity. It relies on the MITRE ATT&CK framework to structure its exploration of cyberattack techniques, attack defenses, and the key cybersecurity challenges facing network administrators and other stakeholders today.

Offering downloadable sample code, the book is written to help you discover how to use Python in a wide variety of cybersecurity situations, including:

  • Reconnaissance, resource development, initial access, and execution
  • Persistence, privilege escalation, defense evasion, and credential access
  • Discovery, lateral movement, collection, and command and control
  • Exfiltration and impact

Each chapter includes discussions of several techniques and sub-techniques that could be used to achieve an attacker's objectives in any of these use cases. The ideal resource for anyone with a professional or personal interest in cybersecurity, Python For Cybersecurity offers in-depth information about a wide variety of attacks and effective, Python-based defenses against them.

Author(s): Howard E. Poston III
Publisher: Wiley
Year: 2022

Language: English
Pages: 241
City: Hoboken

Cover
Title Page
Copyright Page
About the Author
Acknowledgments
About the Technical Editor
Contents at a Glance
Contents
Introduction
How This Book Is Organized
Tactics and Techniques
Why MITRE ATT&CK?
Tools You Will Need
Setting Up Python
Accessing Code Samples
Installing Packages
From Here
Chapter 1 Fulfilling Pre-ATT&CK Objectives
Active Scanning
Scanning Networks with scapy
Implementing a SYN Scan in scapy
Performing a DNS Scan in scapy
Running the Code
Network Scanning for Defenders
Monitoring Traffic with scapy
Building Deceptive Responses
Running the Code
Search Open Technical Databases
Offensive DNS Exploration
Searching DNS Records
Performing a DNS Lookup
Reverse DNS Lookup
Running the Code
DNS Exploration for Defenders
Handling DNS Requests
Building a DNS Response
Running the Code
Summary
Suggested Exercises
Chapter 2 Gaining Initial Access
Valid Accounts
Discovering Default Accounts
Accessing a List of Default Credentials
Starting SSH Connections in Python
Performing Telnet Queries in Python
Running the Code
Account Monitoring for Defenders
Introduction to Windows Event Logs
Accessing Event Logs in Python
Detecting Failed Logon Attempts
Identifying Unauthorized Access to Default Accounts
Running the Code
Replication Through Removable Media
Exploiting Autorun
Converting Python Scripts to Windows Executables
Generating an Autorun File
Setting Up the Removable Media
Running the Code
Detecting Autorun Scripts
Identifying Removable Drives
Finding Autorun Scripts
Detecting Autorun Processes
Running the Code
Summary
Suggested Exercises
Chapter 3 Achieving Code Execution
Windows Management Instrumentation
Executing Code with WMI
Creating Processes with WMI
Launching Processes with PowerShell
Running the Code
WMI Event Monitoring for Defenders
WMI in Windows Event Logs
Accessing WMI Event Logs in Python
Processing Event Log XML Data
Running the Code
Scheduled Task/Job
Scheduling Malicious Tasks
Checking for Scheduled Tasks
Scheduling a Malicious Task
Running the Code
Task Scheduling for Defenders
Querying Scheduled Tasks
Identifying Suspicious Tasks
Running the Code
Summary
Suggested Exercises
Chapter 4 Maintaining Persistence
Boot or Logon Autostart Execution
Exploiting Registry Autorun
The Windows Registry and Autorun Keys
Modifying Autorun Keys with Python
Running the Code
Registry Monitoring for Defenders
Querying Windows Registry Keys
Searching the HKU Hive
Running the Code
Hijack Execution Flow
Modifying the Windows Path
Accessing the Windows Path
Modifying the Path
Running the Code
Path Management for Defenders
Detecting Path Modification via Timestamps
Enabling Audit Events
Monitoring Audit Logs
Running the Code
Summary
Suggested Exercises
Chapter 5 Performing Privilege Escalation
Boot or Logon Initialization Scripts
Creating Malicious Logon Scripts
Achieving Privilege Escalation with Logon Scripts
Creating a Logon Script
Running the Code
Searching for Logon Scripts
Identifying Autorun Keys
Running the Code
Hijack Execution Flow
Injecting Malicious Python Libraries
How Python Finds Libraries
Creating a Python Library
Running the Code
Detecting Suspicious Python Libraries
Identifying Imports
Detecting Duplicates
Running the Code
Summary
Suggested Exercises
Chapter 6 Evading Defenses
Impair Defenses
Disabling Antivirus
Disabling Antivirus Autorun
Terminating Processes
Creating Decoy Antivirus Processes
Catching Signals
Running the Code
Hide Artifacts
Concealing Files in Alternate Data Streams
Exploring Alternate Data Streams
Alternate Data Streams in Python
Running the Code
Detecting Alternate Data Streams
Walking a Directory with Python
Using PowerShell to Detect ADS
Parsing PowerShell Output
Running the Code
Summary
Suggested Exercises
Chapter 7 Accessing Credentials
Credentials from Password Stores
Dumping Credentials from Web Browsers
Accessing the Chrome Master Key
Querying the Chrome Login Data Database
Parsing Output and Decrypting Passwords
Running the Code
Monitoring Chrome Passwords
Enabling File Auditing
Detecting Local State Access Attempts
Running the Code
Network Sniffing
Sniffing Passwords with scapy
Port-BasedProtocol Identification
Sniffing FTP Passwords
Extracting SMTP Passwords
Tracking Telnet Authentication State
Running the Code
Creating Deceptive Network Connections
Creating Decoy Connections
Running the Code
Summary
Suggested Exercises
Chapter 8 Performing Discovery
Account Discovery
Collecting User Account Data
Identifying Administrator Accounts
Collecting User Account Information
Accessing Windows Password Policies
Running the Code
Monitoring User Accounts
Monitoring Last Login Times
Monitoring Administrator Login Attempts
Running the Code
File and Directory Discovery
Identifying Valuable Files and Folders
Regular Expressions for Data Discovery
Parsing Different File Formats
Running the Code
Creating Honeypot Files and Folders
Monitoring Decoy Content
Creating the Decoy Content
Running the Code
Summary
Suggested Exercises
Chapter 9 Moving Laterally
Remote Services
Exploiting Windows Admin Shares
Enabling Full Access to Administrative Shares
Transferring Files via Administrative Shares
Executing Commands on Administrative Shares
Running the Code
Admin Share Management for Defenders
Monitoring File Operations
Detecting Authentication Attempts
Running the Code
Use Alternative Authentication Material
Collecting Web Session Cookies
Accessing Web Session Cookies
Running the Code
Creating Deceptive Web Session Cookies
Creating Decoy Cookies
Monitoring Decoy Cookie Usage
Running the Code
Summary
Suggested Exercises
Chapter 10 Collecting Intelligence
Clipboard Data
Collecting Data from the Clipboard
Accessing the Windows Clipboard
Replacing Clipboard Data
Clipboard Management for Defenders
Monitoring the Clipboard
Processing Clipboard Messages
Identifying the Clipboard Owner
Running the Code
Email Collection
Collecting Local Email Data
Accessing Local Email Caches
Running the Code
Protecting Against Email Collection
Identifying Email Caches
Searching Archive Files
Running the Code
Summary
Suggested Exercises
Chapter 11 Implementing Command and Control
Encrypted Channel
Command and Control Over Encrypted Channels
Encrypted Channel Client
Encrypted Channel Server
Running the Code
Detecting Encrypted C2 Channels
Performing Entropy Calculations
Detecting Encrypted Traffic
Running the Code
Protocol Tunneling
Command and Control via Protocol Tunneling
Protocol Tunneling Client
Protocol Tunneling Server
Running the Code
Detecting Protocol Tunneling
Extracting Field Data
Identifying Encoded Data
Running the Code
Summary
Suggested Exercises
Chapter 12 Exfiltrating Data
Alternative Protocols
Data Exfiltration Over Alternative Protocols
Alternative Protocol Client
Alternative Protocol Server
Running the Code
Detecting Alternative Protocols
Detecting Embedded Data
Running the Code
Non-Application Layer Protocols
Data Exfiltration via Non-Application Layer Protocols
Non-ApplicationLayer Client
Non-ApplicationLayer Server
Running the Code
Detecting Non-Application Layer Exfiltration
Identifying Anomalous Type and Code Values
Running the Code
Summary
Suggested Exercises
Chapter 13 Achieving Impact
Data Encrypted for Impact
Encrypting Data for Impact
Identifying Files to Encrypt
Encrypting and Decrypting Files
Running the Code
Detecting File Encryption
Finding Files of Interest
Calculating File Entropies
Running the Code
Account Access Removal
Removing Access to User Accounts
Changing Windows Passwords
Changing Linux Passwords
Running the Code
Detecting Account Access Removal
Detecting Password Changes in Windows
Detecting Password Changes in Linux
Running the Code
Summary
Suggested Exercises
Index
EULA