Merge branch '88-fixed-ads-slides' into 'master'

Update 2_3_ADS_winSlides.adoc

Closes #88

See merge request os/public!77

os/modules/005_windows_ads/pages/2_3_ADS_winSlides.adoc

-= Active Directory, BloodHound, and PowerView
-//CCTC - OS
+= Windows: Alternate Data Streams
+//CCTC - Windows
 //v2.0, 2019-04-23
 //.images
 :slides: true
@@ -14,8 +14,6 @@
 :revealjs_slideNumber: true
 :revealjs_showSlideNumber: all
 
-
-
 == Key
 
 * [HIGH]#Emphasis/Highlighting#
@@ -24,213 +22,57 @@
 * [ORANGE]#Demo Scripts#
 * [GREEN]#Commands#
 
+image::slide_title_blk.png[background, size=100%]
 
-
-== [GOLD]#Day 1 Class Schedule#
+== [GOLD]#Day 2-3 Class Schedule#
 
 [cols="1,1"]
 |===
 | Topics                                    | Time
-| Active Directory Enumeration              | 45 minutes
-| BloodHound Demonstration                  | 10 minutes
-| PowerView Demonstration                   | 10 minutes
-| CTFd Challenges                           | 180 minutes
+| Windows: Alternate Data Streams           | 30 minutes
+| *Total*                                   | *30 Minutes*
 |===
 
 image::slide_background_blk.png[background, size=100%]
 
+== [GOLD]#Alternate Data Streams#
 
-
-== [GOLD]#Objectives#
-
-* Contrast privilege levels of local domain groups and accounts
-* Use CMD shell to query, view, analyze, modify and create AD Objects
-* Use PowerShell to query, view, analyze, modify, and create AD Objects
-* Use PowerShell to survey domain controller security posture
+* First introduced to NTFS in Windows NT 3.1 
+* Implementing filesystem forks in order to maintain compatibility with other filesystems
+** Apple’s HFS+ and Novell’s NWFS and NSS.
+* NTFS File consists of 
+** Attributes, Security settings, Main stream, Alternate streams
+*** By default, only the Main stream is visible.
 
 image::slide_background_blk.png[background, size=100%]
 
+== [GOLD]#Alternate Data Streams Continued#
 
-
-== [GOLD]#Administrator Best Practices#
-
-* What are AD Administrator best practices?
-
-** Least privilege?
-** Group Nesting?
-** Administrator local logon?
+* ADS stores metadata
+** File attributes, Icons, Image thumbnails.
+* Used to hide data using NTFS.
+* Scanned by antivirus (Windows Defender Smartscreen is ADS aware).
+* Does not change the MD5 hash of the file.
 
 image::slide_background_blk.png[background, size=100%]
 
+== [GOLD]#Alternate Data Streams Continued#
 
-
-== [GOLD]#Group Nesting#
-
-* What security flaw does group nesting create?
-** [RED]#AD nested group enumeration demo#
+* Deleted once copied to a fat32.
+* Cannot be disabled.
+* [HIGH]#[filename.extension]:[alternate_stream_name]::$DATA#
 
 image::slide_background_blk.png[background, size=100%]
 
+== [RED]#DEMO: Creating and Viewing Alternate Data Streams#
 
-
-== [GOLD]#Local Administrator Logon#
-
-* [HIGH]#Never login as administrator#
-* RUNAS
-* Default local administrator disabled
+* Step one: Open an [HIGH]#Administrative# command prompt and create a simple file.
 
 image::slide_background_blk.png[background, size=100%]
 
-
-
-== [GOLD]#Group Policy Object Queries#
-
-* [GREEN]#gpresult#
-
-* [GREEN]#Get-GPResultantSetOfPolicy#
-
-* [RED]#Demo#
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#HUNTING in AD#
-
-* Who
-* What
-* Where
-* When
-* Why
+== [RED]#DEMO: Creating and Executing Malicious Alternate Data Streams#
 
 image::slide_background_blk.png[background, size=100%]
 
 
 
-== [GOLD]#Suspicious Activity#
-
-* Unknown admin accounts
-* Active outside normal work hours
-* Nested groups
-* Service accounts logging into hosts
-* User accounts logging into critical infrastructure (i.e. Domain Controller)
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#User Enumeration for HUNTING purposes#
-
-* Methods
-** CMD
-** PowerShell
-** Logs
-** 3^rd^ party software
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#DSTOOLS#
-
-* [GREEN]#DSADD#
-* [GREEN]#DSGET#
-* [GREEN]#DSMOD#
-* [GREEN]#DSMOVE#
-* [GREEN]#DSQUERY#
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#PowerShell AD Commands#
-
-* (VERB)-AD(NOUN)
-** Examples
-*** [GREEN]#Get-ADUser#
-*** [GREEN]#New-ADUser -Name "Bad Guy" -PasswordNotRequired 1 -Path "OU=3RD LPT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=ARMY,DC=WARRIORS"#
-
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#Demo#
-
-
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#BloodHound#
-
-* Free tool that is used by defenders and attackers to gain a deeper understanding of privilege relationships in an Active Directory environment
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#BloodHound Uses#
-
-* Reveal hidden relationships
-* Identify complex attack paths
-* Gain better understanding of privilege relationships
-* Leverages [HIGH]#PowerView# for advanced querying
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#BloodHound Collected Artifacts#
-
-* Group Membership
-* Local/Domain Groups/Admins
-* Domain Trusts
-* Session Information
-* GPO/OU Information
-* Logged on Users
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#https://youtu.be/MYxk73DsGQI[Bloodhound Demo]#
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#PowerView#
-
-* Reconnaissance tool
-** Gain situational awareness on Windows domains
-* Utilizes PowerShell AD functions
-* Leverages custom built functions focused on HUNT operations
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#Installation#
-
-* Ensure Anti-virus is temporarily turned off
-* Download zip file from [HIGH]#https://github.com/PowerShellMafia/PowerSploit#
-* Copy the [HIGH]#Recon# folder to one of the default PowerShell module paths
-* Import the [HIGH]#Recon# module
-* Run Commands!
-* [RED]#Demo#
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#Questions?#
-
-image::slide_background_blk.png[background, size=100%]
-
-
-
-== [GOLD]#CTFd Challenges#
-
-image::slide_background_blk.png[background, size=100%]