{"id":9835,"date":"2017-11-01T11:45:00","date_gmt":"2017-11-01T17:45:00","guid":{"rendered":"https:\/\/swimlane.com\/resource\/offensive-ops-for-defenders\/"},"modified":"2023-03-10T10:17:36","modified_gmt":"2023-03-10T17:17:36","slug":"operations-offensives-pour-les-defenseurs","status":"publish","type":"sw_resource","link":"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/","title":{"rendered":"Empoisonner le puits : Op\u00e9rations offensives pour les d\u00e9fenseurs"},"content":{"rendered":"\n\n\n<section class=\"bs-section bs-section-f49668dca89a07af4c4bed27713f079b6839f643 bs-section---default bs-section--blog-inner-banner  \"><style>.bs-section.bs-section-f49668dca89a07af4c4bed27713f079b6839f643{ background-color: #000743;} <\/style><div class=\"container\">\n<div class=\"bs-row row  flex-md-row-reverse bs-row---default\">\n<div class=\" bs-column col-sm-12 col-md-12 col-lg-6   bs-column-3c02e72bbbdd27fbc2206a57dc520373f8b450b2 bs-column---default bs-column--right d-flex flex-column justify-content-end    \"><figure class=\"wp-block-post-featured-image\"><img decoding=\"async\" src=\"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png\" class=\"attachment-post-thumbnail size-post-thumbnail wp-post-image\" alt=\"Diagram showing PowerShell and Swimlane integration for DFIR tasks, including external and internal tagging and SOC notification.\" style=\"object-fit:cover;\" srcset=\"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png 1120w, https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders-300x186.png 300w, https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders-1024x636.png 1024w, https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders-768x477.png 768w\" sizes=\"(max-width: 1120px) 100vw, 1120px\" \/><\/figure><\/div>\n\n\n\n<div class=\" bs-column col-sm-12  col-md-12 col-lg-6   bs-column-6a13826d98ae006805bf00373c567a95c3c65a9a bs-column---default d-flex flex-column    \"><div class=\"wp-block-post-date\"><time datetime=\"2017-11-01T11:45:00-06:00\">Nov 1, 2017<\/time><\/div>\n\n<h1 class=\"wp-block-post-title has-text-color has-white-color\">Poison the well: Offensive ops for defenders<\/h1>\n\n\n<div class=\"bs-div bs-div-f106fb945b2c4610a440b9e5b4f63c0c1cbbec02 bs-div---default\"><div class=\"bs-div__inner d-flex flex-wrap align-items-center    \">\n<a class=\"bs-post__author has-text-align-center\" href=\"https:\/\/swimlane.com\/fr\/author\/Katie_Bykowski\/\">\n\t<div class=\"profile-desc\">\n\t\t<figure>\n\t\t\t<img decoding=\"async\" src=\"https:\/\/swimlane.com\/wp-content\/uploads\/author_Katie_Bykowski.jpg\" alt=\"user-avatar\">\n\t\t<\/figure>\n\t\t<span class=\"prefix\"><\/span>\n\t\t<span class=\"name\">\n\t\t\tKatie Bykowski\t\t<\/span>\n\t<\/div>\n<\/a>\n\n\n\n<div class=\"reading-time\">\n    <span class=\"reading-time__time\">4 <\/span> Minute Read\n<\/div><\/div><\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n\n\n\n\n\n\n\n\n\n<section class=\"bs-section bs-section-050e6505c2b06c7ce9ca858e2f56661a365e6ba8 bs-section---default bs-section--blog-inner-main-contents  \"><div class=\"container\">\n<div class=\"bs-row row justify-content-between  bs-row---default\">\n<div class=\" bs-column col-sm-12 col-md-1   bs-column-b9d738473a055284b615b4f50be5a383dfe4cc38 bs-column---default     \"><div class=\"heateor_sss_sharing_container heateor_sss_horizontal_sharing\" data-heateor-ss-offset=\"0\" data-heateor-sss-href='https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/'><div class=\"heateor_sss_sharing_ul\"><a aria-label=\"Email\" class=\"heateor_sss_email\" href=\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/\" onclick=\"event.preventDefault();window.open('mailto:?subject=' + decodeURIComponent('Poison%20the%20well%3A%20Offensive%20ops%20for%20defenders').replace('&', '%26') + '&body=https%3A%2F%2Fswimlane.com%2Ffr%2Fblog%2Foffensive-ops-for-defenders%2F', '_blank')\" title=\"Email\" rel=\"noopener\" style=\"font-size:32px!important;box-shadow:none;display:inline-block;vertical-align:middle\"><span class=\"heateor_sss_svg\" style=\"background-color:#649a3f;width:35px;height:35px;border-radius:999px;display:inline-block;opacity:1;float:left;font-size:32px;box-shadow:none;display:inline-block;font-size:16px;padding:0 4px;vertical-align:middle;background-repeat:repeat;overflow:hidden;padding:0;cursor:pointer;box-sizing:content-box\"><svg style=\"display:block;border-radius:999px;\" focusable=\"false\" aria-hidden=\"true\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"100%\" height=\"100%\" viewBox=\"-.75 -.5 36 36\"><path d=\"M 5.5 11 h 23 v 1 l -11 6 l -11 -6 v -1 m 0 2 l 11 6 l 11 -6 v 11 h -22 v -11\" stroke-width=\"1\" fill=\"#fff\"><\/path><\/svg><\/span><\/a><a aria-label=\"Twitter\" class=\"heateor_sss_button_twitter\" href=\"https:\/\/twitter.com\/intent\/tweet?text=Poison%20the%20well%3A%20Offensive%20ops%20for%20defenders&url=https%3A%2F%2Fswimlane.com%2Ffr%2Fblog%2Foffensive-ops-for-defenders%2F\" title=\"Twitter\" rel=\"nofollow noopener\" target=\"_blank\" style=\"font-size:32px!important;box-shadow:none;display:inline-block;vertical-align:middle\"><span class=\"heateor_sss_svg heateor_sss_s__default heateor_sss_s_twitter\" style=\"background-color:#55acee;width:35px;height:35px;border-radius:999px;display:inline-block;opacity:1;float:left;font-size:32px;box-shadow:none;display:inline-block;font-size:16px;padding:0 4px;vertical-align:middle;background-repeat:repeat;overflow:hidden;padding:0;cursor:pointer;box-sizing:content-box\"><svg style=\"display:block;border-radius:999px;\" focusable=\"false\" aria-hidden=\"true\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"100%\" height=\"100%\" viewBox=\"-4 -4 39 39\"><path d=\"M28 8.557a9.913 9.913 0 0 1-2.828.775 4.93 4.93 0 0 0 2.166-2.725 9.738 9.738 0 0 1-3.13 1.194 4.92 4.92 0 0 0-3.593-1.55 4.924 4.924 0 0 0-4.794 6.049c-4.09-.21-7.72-2.17-10.15-5.15a4.942 4.942 0 0 0-.665 2.477c0 1.71.87 3.214 2.19 4.1a4.968 4.968 0 0 1-2.23-.616v.06c0 2.39 1.7 4.38 3.952 4.83-.414.115-.85.174-1.297.174-.318 0-.626-.03-.928-.086a4.935 4.935 0 0 0 4.6 3.42 9.893 9.893 0 0 1-6.114 2.107c-.398 0-.79-.023-1.175-.068a13.953 13.953 0 0 0 7.55 2.213c9.056 0 14.01-7.507 14.01-14.013 0-.213-.005-.426-.015-.637.96-.695 1.795-1.56 2.455-2.55z\" fill=\"#fff\"><\/path><\/svg><\/span><\/a><a aria-label=\"Facebook\" class=\"heateor_sss_facebook\" href=\"https:\/\/www.facebook.com\/sharer\/sharer.php?u=https%3A%2F%2Fswimlane.com%2Ffr%2Fblog%2Foffensive-ops-for-defenders%2F\" title=\"Facebook\" rel=\"nofollow noopener\" target=\"_blank\" style=\"font-size:32px!important;box-shadow:none;display:inline-block;vertical-align:middle\"><span class=\"heateor_sss_svg\" style=\"background-color:#0765FE;width:35px;height:35px;border-radius:999px;display:inline-block;opacity:1;float:left;font-size:32px;box-shadow:none;display:inline-block;font-size:16px;padding:0 4px;vertical-align:middle;background-repeat:repeat;overflow:hidden;padding:0;cursor:pointer;box-sizing:content-box\"><svg style=\"display:block;border-radius:999px;\" focusable=\"false\" aria-hidden=\"true\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"100%\" height=\"100%\" viewBox=\"0 0 32 32\"><path fill=\"#fff\" d=\"M28 16c0-6.627-5.373-12-12-12S4 9.373 4 16c0 5.628 3.875 10.35 9.101 11.647v-7.98h-2.474V16H13.1v-1.58c0-4.085 1.849-5.978 5.859-5.978.76 0 2.072.15 2.608.298v3.325c-.283-.03-.775-.045-1.386-.045-1.967 0-2.728.745-2.728 2.683V16h3.92l-.673 3.667h-3.247v8.245C23.395 27.195 28 22.135 28 16Z\"><\/path><\/svg><\/span><\/a><a aria-label=\"Linkedin\" class=\"heateor_sss_button_linkedin\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url=https%3A%2F%2Fswimlane.com%2Ffr%2Fblog%2Foffensive-ops-for-defenders%2F\" title=\"Linkedin\" rel=\"nofollow noopener\" target=\"_blank\" style=\"font-size:32px!important;box-shadow:none;display:inline-block;vertical-align:middle\"><span class=\"heateor_sss_svg heateor_sss_s__default heateor_sss_s_linkedin\" style=\"background-color:#0077b5;width:35px;height:35px;border-radius:999px;display:inline-block;opacity:1;float:left;font-size:32px;box-shadow:none;display:inline-block;font-size:16px;padding:0 4px;vertical-align:middle;background-repeat:repeat;overflow:hidden;padding:0;cursor:pointer;box-sizing:content-box\"><svg style=\"display:block;border-radius:999px;\" focusable=\"false\" aria-hidden=\"true\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"100%\" height=\"100%\" viewBox=\"0 0 32 32\"><path d=\"M6.227 12.61h4.19v13.48h-4.19V12.61zm2.095-6.7a2.43 2.43 0 0 1 0 4.86c-1.344 0-2.428-1.09-2.428-2.43s1.084-2.43 2.428-2.43m4.72 6.7h4.02v1.84h.058c.56-1.058 1.927-2.176 3.965-2.176 4.238 0 5.02 2.792 5.02 6.42v7.395h-4.183v-6.56c0-1.564-.03-3.574-2.178-3.574-2.18 0-2.514 1.7-2.514 3.46v6.668h-4.187V12.61z\" fill=\"#fff\"><\/path><\/svg><\/span><\/a><\/div><div class=\"heateorSssClear\"><\/div><\/div>\n<\/div>\n\n\n\n<div class=\" bs-column col-sm-12  col-lg-8 col-md-11   bs-column-5fcbee853797bef68c609dd2715f511e3ead78a3 bs-column---default bs-column--contents     \">\n<h2><\/h2>\n<p>The old adage of \u201cThe best defense is a good offense\u201d has started to gain traction amongst security operations center (SOC) and information security teams alike. But to many, consistent red teaming and penetration testing may seem like a lofty goal that feels secondary to investigating the deluge of alerts and alarms they face.<\/p>\n<p>If you find yourself not able to dedicate the time and resources to fully developed mock attacks, you can always go on the offensive by trying to predict what an attacker might do and use it against them. And there\u2019s a good chance that whomever the attacker is, they\u2019ll be looking to exfiltrate data.<\/p>\n<h3>Seeding tainted files<\/h3>\n<p>In this post, we will explore the technique of seeding \u201ctainted\u201d files (i.e. files embedded with a payload) around a network in order to catch a malicious actor stealing valuable information. One of our tools of choice is an open-source post-exploitation tool, <a href=\"https:\/\/www.powershellempire.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell Empire<\/a>. It has robust exploitation capabilities and a nifty REST API that makes integration with Swimlane a snap.<\/p>\n<h3>Embed a payload<\/h3>\n<p>First, we\u2019ll need to create the files we want to place around our network. For the purposes of this post, we\u2019ll assume you know how to embed a payload into various media forms. If not, <a href=\"https:\/\/enigma0x3.net\/2016\/03\/15\/phishing-with-empire\/\" target=\"_blank\" rel=\"noreferrer noopener\">here are a few basics<\/a>.<\/p>\n<p>The key is to make them look good but not too good. We want the attackers to believe they have stumbled upon something valuable that we\u2019d rather them not have. The files need to be consistent with items found throughout your network but named to catch the eye. Empire gives you many options for payloads, so mix it up. If you have development going on internally, sprinkle in more than just Word documents. ELF binaries are a great way to diversify.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2159\" src=\"https:\/\/swimlane.com\/assets\/uploads\/images\/wp\/2017\/11\/Empire-1.png\" alt=\"Empire-Uses-Tagger\" width=\"973\" height=\"98\"><\/p>\n<p>While we\u2019re talking about sowing a wide swath with these files, to maximize the chances that we pique an attacker\u2019s interest we need numerous file types in multiple locations. User endpoints are great, but file servers are prime locations for data exfiltration. Unless an attacker is severely limited by time, they are often going to seek file shares as one of the main targets. Additionally, don\u2019t stash the files on honeypots (fake servers) within your system and think that you\u2019re going to misdirect attackers to those rather than legitimate servers. Make the tainted files look promising by adding them into production systems.<\/p>\n<p>So, now we have embedded files waiting on an attacker to pull them down and open them up. But, what do we do once we catch a callback? Why seed files at all? Well, first off, if sensitive data is being stolen you probably need to know about it. More importantly there are only a handful of ways to stop attackers like this, and the answer is not to \u201chack back.\u201d For true APTs, the only way to keep them at bay is to either expose their tools (exploits, payloads, etc.) <em>or<\/em> expose their infrastructure. Making either of those elements public will force them to make changes, which are often costly or severely impact their operations.<\/p>\n<p>Oh, and look. We just caught a callback (of course, we normally won\u2019t see this because we\u2019re automating through Swimlane)\u2026<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2160\" src=\"https:\/\/swimlane.com\/assets\/uploads\/images\/wp\/2017\/11\/Empire2.png\" alt=\"Empire - Callback\" width=\"975\" height=\"52\"><\/p>\n<p>We will treat ingestion into Swimlane like we would from any other source. We have an integration with Empire that does the following:<\/p>\n<ol>\n<li>Checks every minute for the Status of our Empire Listeners<\/li>\n<li>Checks every minute for Empire Agents<\/li>\n<li>If an Agent session is established, Swimlane Workflow executes a series of actions depending on specific conditions.<\/li>\n<\/ol>\n<p>We know that time is critical is here because an attacker may just be beginning their exfiltration. Or, they may become savvy to our endeavors, and we should gather as much intel about who they are and their tools as quickly as possible. We need to treat this as if we only get one look at an attackers\u2019 machine.<\/p>\n<p>Using Swimlane\u2019s Workflow, we\u2019ve already defined what actions need to be taken should we catch a callback from our \u201cspecial\u201d files.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2161\" src=\"https:\/\/swimlane.com\/assets\/uploads\/images\/wp\/2017\/11\/Empire-Listeners-Swimlane-Workflow.png\" alt=\"Empire-Listeners-Swimlane-Workflow\" width=\"722\" height=\"365\"><\/p>\n<p>Regardless of whether it\u2019s an internal or external IP (either could be a possible pivot point for attackers), we decide to run some of our PowerShell DFIR commands and send notifications. These tasks include getting the arp cache, netstat, processes, checking for hollow processes (and retrieving a memory dump if we find any), screenshots, drive enumeration and more:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2165\" src=\"https:\/\/swimlane.com\/assets\/uploads\/images\/wp\/2017\/11\/Empire-Screenshot.png\" alt=\"Empire-Powershell-Swimlane-Screenshot\" width=\"860\" height=\"635\"><\/p>\n<p>Just remember if it\u2019s an external IP, there is a larger chance that whatever we task the agent to do on callback won\u2019t get executed. That\u2019s because most APTs will curtail the communications allowed in and out of their network. So, best practice is to get as much from the initial callback as possible. Luckily, with Empire you can modify the payload before you Base64 and embed it; so go wild with modifications.<\/p>\n<h3>Time to start a detailed investigation<\/h3>\n<p>Is that it? Of course not. We\u2019ve got some of the attackers TTPs, which are probably being reused, and we\u2019re ready to begin a more detailed investigation. But, we\u2019ll deal with that in a separate post. For today, consider it a job well done to be able to use an open source tool and automation to track down malicious actors within the network and gather time-sensitive data.<\/p>\n<\/div>\n\n\n\n<div class=\" bs-column col-sm-12  col-md-12 col-lg-3   bs-column-4ffac197d945e44dadadc9d8f52ba4737135ba21 bs-column---default     \">\n<div class=\"bs-div bs-div-ffc71f24880cf5ca65c4a54e87fb14a656cc562d bs-div---default bs-div--tags\"><div class=\"bs-div__inner     \">\n<h2 class=\"wp-block-heading\" id=\"h-tags\">Tags<\/h2>\n\n\n<div class=\"post-tag-wrapper\">\n    <p><\/p><\/div>\n<\/div><\/div>\n\n\n\n<div class=\"bs-div bs-div-69c461f15bb5fa3fc09d1aa73a0e5865005218ff bs-div---default bs-div--related-posts\"><div class=\"bs-div__inner     \">\n<h2 class=\"wp-block-heading\" id=\"h-related-posts\">Related Posts<\/h2>\n\n\n\n<div class=\"bs-related-posts bs-related-posts-block---default\"><div class=\"bs-related-posts__container\"><div class=\"bs-related-posts__items\">\n<div class=\" bs-column col-sm-4   bs-column-4bb8c1b66cb5e72c43988fbaf017046daf38fc18 bs-column---default     \">\t\t\t\t\t<div class=\"bs-post bs-post-69e5e049d7b51 bs-single-post---default enable\" >\n\t\t\t<a class=\"bs-post__trigger\" href='https:\/\/swimlane.com\/fr\/blog\/establishing-your-data-privacy-program-with-soar\/' target='_self'>\t\t\t<div class=\"bs-post__inner\">\n\t\t\t\t<div class=\"bs-post__details\">    <div class=\"bs-post__date\">\n        <span>Ao\u00fbt 20, 2020<\/span>\n    <\/div>\n    <div class=\"bs-post__title\">\n        <h5>Understanding the Fundamental Rights of the Data Subject and establishing your Data Privacy Program with SOAR<\/h5>\n    <\/div>\n<div class=\"bs-post__learn-more\">\n    <span class='btn learn-more-text bs-post__learn-more-text'>Read More<\/span><\/div>\n<\/div>\t\t\t<\/div>\n\t\t\t<\/a>\t\t<\/div>\n\t<\/div>\n\n\n\n<div class=\" bs-column col-sm-4   bs-column-4bb8c1b66cb5e72c43988fbaf017046daf38fc18 bs-column---default     \">\t\t\t\t\t<div class=\"bs-post bs-post-69e5e049d8eb6 bs-single-post---default enable\" >\n\t\t\t<a class=\"bs-post__trigger\" href='https:\/\/swimlane.com\/fr\/blog\/making-mitre-attck-actionable\/' target='_self'>\t\t\t<div class=\"bs-post__inner\">\n\t\t\t\t<div class=\"bs-post__details\">    <div class=\"bs-post__date\">\n        <span>Juil 16, 2020<\/span>\n    <\/div>\n    <div class=\"bs-post__title\">\n        <h5>Making MITRE ATT&#038;CK Actionable<\/h5>\n    <\/div>\n<div class=\"bs-post__learn-more\">\n    <span class='btn learn-more-text bs-post__learn-more-text'>Read More<\/span><\/div>\n<\/div>\t\t\t<\/div>\n\t\t\t<\/a>\t\t<\/div>\n\t<\/div>\n\n\n\n<div class=\" bs-column col-sm-4   bs-column-4bb8c1b66cb5e72c43988fbaf017046daf38fc18 bs-column---default     \">\t\t\t\t\t<div class=\"bs-post bs-post-69e5e049da1c3 bs-single-post---default enable\" >\n\t\t\t<a class=\"bs-post__trigger\" href='https:\/\/swimlane.com\/fr\/blog\/black-hat-2019-best-sessions-for-secops\/' target='_self'>\t\t\t<div class=\"bs-post__inner\">\n\t\t\t\t<div class=\"bs-post__details\">    <div class=\"bs-post__date\">\n        <span>Juil 25, 2019<\/span>\n    <\/div>\n    <div class=\"bs-post__title\">\n        <h5>Black Hat 2019: Best sessions for SecOps<\/h5>\n    <\/div>\n<div class=\"bs-post__learn-more\">\n    <span class='btn learn-more-text bs-post__learn-more-text'>Read More<\/span><\/div>\n<\/div>\t\t\t<\/div>\n\t\t\t<\/a>\t\t<\/div>\n\t<\/div>\n<\/div><\/div><\/div>\n<\/div><\/div>\n\n\n<\/div>\n<\/div>\n<\/div><\/section>\n\n\n\n<section class=\"bs-section bs-section-2a4a600ae9ab197b6a4ccafe05152bf1a2fde1d1 bs-section---default bs-section--newsletter bs-section--common-marketo-form bs-section--common-marketo-form-two-columns  \"><style>.bs-section.bs-section-2a4a600ae9ab197b6a4ccafe05152bf1a2fde1d1{ background-color: #000743;} <\/style><div class=\"container-fluid\">\n<div class=\"bs-row row   bs-row---default\">\n<div class=\" bs-column col-sm-0 col-md-0 col-lg-6   bs-column-df5e10bef85c15055718b4d93887855962017939 bs-column---default     \">\n<h2 class=\"wp-block-heading has-white-color has-text-color\" id=\"requestor\">Request a Live Demo<\/h2>\n<\/div>\n\n\n\n<div class=\" bs-column col-sm-0 col-md-0 col-lg-6   bs-column-df5e10bef85c15055718b4d93887855962017939 bs-column---default     \"><div class='media-elements bs-media-element---default enable'>    <div class='bs-common-image'>\n                            <figure class='figure justify-content-start d-flex'>\n                            <picture>\n                            \n                            <img src='https:\/\/swimlane.com\/wp-content\/uploads\/liitp.svg' class='img-fluid'   alt='' title=''  \/>\n                            <\/picture>\n                                \n                            <\/figure>\n                        <\/div><\/div>\n\n<script src=\"\/\/pages.swimlane.com\/js\/forms2\/js\/forms2.min.js\"><\/script>\n<form id=\"mktoForm_1017\"><\/form>\n<script>\n    var embeddedFormId = '05a6905d0187a23e165b2fd995e965fe15cb94f6';\n    var marketoBaseUrl = '\/\/pages.swimlane.com';\n    var munchkinId = '978-QCM-390';\n    var formId = '1017';\n    var responseType = 'redirect';\n    var responseMessage = 'Thank you!';\n    var redirectURL = '';\n    var downloadFileURL = '';\n    var linkOpenType = '_self';\n    var popupVideo = 'url';\n    var popupVideoURL = '';\n    var popupVideoUploadURL = '';\n    MktoForms2.loadForm(marketoBaseUrl, munchkinId, formId, function(form) {\n        form.onSuccess(function(values, followUpUrl) {\n            document.getElementById(\"int_mktoForm_\" + formId).innerHTML = responseMessage;\n                    });\n    });\n<\/script>\n<div class=\"form-submit-note\" id=\"int_mktoForm_1017\"><\/div>\n<!-- Incluing form response options -->\n\n\n\n<script>\n    (function() {\n        \/\/ Please include the email domains you would like to block in this list\n        var invalidDomains = [\"@gmail.\", \"@yahoo.\", \"@hotmail.\", \"@live.\", \"@icloud.\",\"@aol.\", \"@outlook.\", \"@proton.\", \"@mailinator.\"];\n\n\n        MktoForms2.whenReady(function(form) {\n            form.onValidate(function() {\n                var email = form.vals().Email;\n                if (email) {\n                    if (!isEmailGood(email)) {\n                        form.submitable(false);\n                        var emailElem = form.getFormElem().find(\"#Email\");\n                        form.showErrorMessage(\"Must be Business email.\", emailElem);\n                    } else {\n                        form.submitable(true);\n                    }\n                }\n            });\n        });\n\n        function isEmailGood(email) {\n            for (var i = 0; i < invalidDomains.length; i++) {\n                var domain = invalidDomains[i];\n                if (email.indexOf(domain) != -1) {\n                    return false;\n                }\n            }\n            return true;\n        }\n\n\n    })(); \n<\/script>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":5,"featured_media":9836,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","learn_more_link":[],"show_popup":false,"disable_iframe":false,"enable_lazy_loading":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","featured_page_list":[],"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"tags":[],"resource-type":[67],"resource-topic":[],"resource-industry":[],"blog-category":[69],"class_list":["post-9835","sw_resource","type-sw_resource","status-publish","has-post-thumbnail","hentry","resource-type-blogs","blog-category-use-cases"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.5 (Yoast SEO v27.1.1) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Poison the well: Offensive Operations for defenders<\/title>\n<meta name=\"description\" content=\"The old adage of \u201cThe best defense is a good offense\u201d has started to gain traction amongst security operations center (SOC) and IS teams\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/swimlane.com\/fr\/blog\/operations-offensives-pour-les-defenseurs\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Poison the well: Offensive ops for defenders\" \/>\n<meta property=\"og:description\" content=\"The old adage of \u201cThe best defense is a good offense\u201d has started to gain traction amongst security operations center (SOC) and IS teams\" \/>\n<meta property=\"og:url\" content=\"https:\/\/swimlane.com\/fr\/blog\/operations-offensives-pour-les-defenseurs\/\" \/>\n<meta property=\"og:site_name\" content=\"AI Security Automation\" \/>\n<meta property=\"article:modified_time\" content=\"2023-03-10T17:17:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1120\" \/>\n\t<meta property=\"og:image:height\" content=\"696\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@swimlane\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/\",\"url\":\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/\",\"name\":\"Poison the well: Offensive Operations for defenders\",\"isPartOf\":{\"@id\":\"https:\/\/swimlane.com\/fr\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png\",\"datePublished\":\"2017-11-01T17:45:00+00:00\",\"dateModified\":\"2023-03-10T17:17:36+00:00\",\"description\":\"The old adage of \u201cThe best defense is a good offense\u201d has started to gain traction amongst security operations center (SOC) and IS teams\",\"breadcrumb\":{\"@id\":\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#primaryimage\",\"url\":\"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png\",\"contentUrl\":\"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png\",\"width\":1120,\"height\":696,\"caption\":\"Diagram showing PowerShell and Swimlane integration for DFIR tasks, including external and internal tagging and SOC notification.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/swimlane.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Poison the well: Offensive ops for defenders\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/swimlane.com\/fr\/#website\",\"url\":\"https:\/\/swimlane.com\/fr\/\",\"name\":\"Low-Code Security Automation & SOAR Platform | Swimlane\",\"description\":\"Agentic AI automation for every security function\",\"publisher\":{\"@id\":\"https:\/\/swimlane.com\/fr\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/swimlane.com\/fr\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/swimlane.com\/fr\/#organization\",\"name\":\"Low-Code Security Automation & SOAR Platform | Swimlane\",\"url\":\"https:\/\/swimlane.com\/fr\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\/\/swimlane.com\/fr\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/swimlane.com\/wp-content\/uploads\/sw-inline-logo-color-white.svg\",\"contentUrl\":\"https:\/\/swimlane.com\/wp-content\/uploads\/sw-inline-logo-color-white.svg\",\"width\":912,\"height\":190,\"caption\":\"Low-Code Security Automation & SOAR Platform | Swimlane\"},\"image\":{\"@id\":\"https:\/\/swimlane.com\/fr\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/swimlane\",\"https:\/\/www.linkedin.com\/company\/swimlane\/\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Empoisonner le puits : Op\u00e9rations offensives pour les d\u00e9fenseurs","description":"Le vieil adage \u201c La meilleure d\u00e9fense, c&#039;est l&#039;attaque \u201d commence \u00e0 gagner du terrain aupr\u00e8s des \u00e9quipes des centres d&#039;op\u00e9rations de s\u00e9curit\u00e9 (SOC) et des syst\u00e8mes d&#039;information.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/swimlane.com\/fr\/blog\/operations-offensives-pour-les-defenseurs\/","og_locale":"fr_FR","og_type":"article","og_title":"Poison the well: Offensive ops for defenders","og_description":"The old adage of \u201cThe best defense is a good offense\u201d has started to gain traction amongst security operations center (SOC) and IS teams","og_url":"https:\/\/swimlane.com\/fr\/blog\/operations-offensives-pour-les-defenseurs\/","og_site_name":"AI Security Automation","article_modified_time":"2023-03-10T17:17:36+00:00","og_image":[{"width":1120,"height":696,"url":"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@swimlane","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/","url":"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/","name":"Empoisonner le puits : Op\u00e9rations offensives pour les d\u00e9fenseurs","isPartOf":{"@id":"https:\/\/swimlane.com\/fr\/#website"},"primaryImageOfPage":{"@id":"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#primaryimage"},"image":{"@id":"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#primaryimage"},"thumbnailUrl":"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png","datePublished":"2017-11-01T17:45:00+00:00","dateModified":"2023-03-10T17:17:36+00:00","description":"Le vieil adage \u201c La meilleure d\u00e9fense, c&#039;est l&#039;attaque \u201d commence \u00e0 gagner du terrain aupr\u00e8s des \u00e9quipes des centres d&#039;op\u00e9rations de s\u00e9curit\u00e9 (SOC) et des syst\u00e8mes d&#039;information.","breadcrumb":{"@id":"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#primaryimage","url":"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png","contentUrl":"https:\/\/swimlane.com\/wp-content\/uploads\/11.01.17-Offensive-Ops-for-Defenders.png","width":1120,"height":696,"caption":"Diagram showing PowerShell and Swimlane integration for DFIR tasks, including external and internal tagging and SOC notification."},{"@type":"BreadcrumbList","@id":"https:\/\/swimlane.com\/fr\/blog\/offensive-ops-for-defenders\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/swimlane.com\/"},{"@type":"ListItem","position":2,"name":"Poison the well: Offensive ops for defenders"}]},{"@type":"WebSite","@id":"https:\/\/swimlane.com\/fr\/#website","url":"https:\/\/swimlane.com\/fr\/","name":"Plateforme d&#039;automatisation de la s\u00e9curit\u00e9 low-code et SOAR | Swimlane","description":"Automatisation par IA agentique pour chaque fonction de s\u00e9curit\u00e9","publisher":{"@id":"https:\/\/swimlane.com\/fr\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/swimlane.com\/fr\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/swimlane.com\/fr\/#organization","name":"Plateforme d&#039;automatisation de la s\u00e9curit\u00e9 low-code et SOAR | Swimlane","url":"https:\/\/swimlane.com\/fr\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/swimlane.com\/fr\/#\/schema\/logo\/image\/","url":"https:\/\/swimlane.com\/wp-content\/uploads\/sw-inline-logo-color-white.svg","contentUrl":"https:\/\/swimlane.com\/wp-content\/uploads\/sw-inline-logo-color-white.svg","width":912,"height":190,"caption":"Low-Code Security Automation & SOAR Platform | Swimlane"},"image":{"@id":"https:\/\/swimlane.com\/fr\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/swimlane","https:\/\/www.linkedin.com\/company\/swimlane\/"]}]}},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/sw_resource\/9835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/sw_resource"}],"about":[{"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/types\/sw_resource"}],"author":[{"embeddable":true,"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/users\/5"}],"version-history":[{"count":0,"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/sw_resource\/9835\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/media\/9836"}],"wp:attachment":[{"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/media?parent=9835"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/tags?post=9835"},{"taxonomy":"resource-type","embeddable":true,"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/resource-type?post=9835"},{"taxonomy":"resource-topic","embeddable":true,"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/resource-topic?post=9835"},{"taxonomy":"resource-industry","embeddable":true,"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/resource-industry?post=9835"},{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/swimlane.com\/fr\/wp-json\/wp\/v2\/blog-category?post=9835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}