But as they say, no defense is 100% foolproof. They WILL get in anyhow, it's how long you take to to detect and respond.
Some highlights from Arsenal:
o CrackMapExec
§ Aims to be a one-stop-shop for pentesting Active Directory environments! Think smbexec on steroids, combining the latest and greatest techniques for AD ownage in a single tool!
§ From enumerating logged on users and spidering SMB shares to executing psexec style attacks, concurrently auto-injecting Mimikatz/Shellcode/DLL's into memory using Powershell, dumping the NTDS.dit, querying and executing commands through MSSQL DB's and more!
§ The biggest improvements over the current tools are:
· Pure Python script, no external tools required
· Fully concurrent threading
· Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...
· Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc...)
§ Fully open-source and hosted on Github!
o VirusTotal
§ A free online file and URL scanner that everyone knows.
§ However there are many free features that many users don't know about such as:
· A free public API for anyone to automate file or URL analysis.
· IP address and domain reputation. See malware files known to be associated with a particular IP address or domain, and history Passive DNS info
· Sysinternals, Carbon black, etc. integrations
· Static analysis of files, structural analysis of many file types (PE, ELF, APK, ZIP, RAR, MACHO, .NET, office, etc)
· Sandbox dynamic analysis of PE, APK, Apple Mach-O, and applications.
· ROMS, BIOS, and firmware files
· SSDEEP, authentihash, imphash, and other similarity indexes
· Certificate checks on signed files
· Whitelisting of trusted files
· Free desktop scanning applications for Windows, MAC, and open source for compilation on linux.
Had a short chat with the developer of CrackMapExec, he mentioned that this tool runs entirely in memory and does not have any footprint. It is basically undetectable, except that the only tell-tale signs of execution would be spikes in the CPU and RAM usage.
Demonstration of CrackMapExec by @byt3bl33d3r
