Name: Defensive Origins
Type: Organization
Bio: A research, consulting, and educational organization founded to assist businesses and non-profits manage and build their Information Security Knowledge Capital
Twitter: DefensiveOGs
Location: Black Hills, South Dakota
Blog: https://www.defensiveorigins.com
Defensive Origins's Projects
Attack Detect Defend Course Pre-Requisites
ADD Extras
Scripts to threat optics stack quickly / abbreviated and automated. Run after APT-Lab-Terraform
Purple Teaming Attack & Hunt Lab - Terraform
Applied Purple Teaming Course Pre-Requisites
Applied Purple Teaming - (ITOCI4hr) - Infrastructure, Threat Optics, and Continuous Improvement - June 6, 2020
Location for a few things necessary for APT22
Defcon 28 - Red Team Village - Applied Purple Teaming - Why Can't We Be Friends
Atomic Purple Team Framework and Lifecycle
Automatic Sender Policy Framework Reconnaissance
BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
Six Degrees of Domain Admin
A Python based ingestor for BloodHound
A PowerShell module to deploy active directory decoy objects.
Detect msDS-KeyCredentialLink Changes
Repo for Defensive Origins images for markdown, etc.
Build a domain with three quick PowerShell scripts!
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!
Additional resources for DTE 2022
Empire is a PowerShell and Python post-exploitation agent.
This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.
Impacket is a collection of Python classes for working with network protocols.
Various components we use in labs
A simple parser for Sysmon logs through EID28 for Microsoft Sentinel