Upload
sergey-soldatov
View
1.328
Download
0
Tags:
Embed Size (px)
Citation preview
Sergey Soldatov
Igor Gots
HOW TO CATCH YOUR “HACKER”
OR
MAKESHIFT SECURITY
AGENDA
• Water
• Fishing
• Fishbite
• Hookset
ZERONIGHTS 2012 GOTS/SOLDATOV 2
AGENDA
• Water
• Fishing
• Fishbite
• Hookset
ZERONIGHTS 2012 GOTS/SOLDATOV 3
W?
ZERONIGHTS 2012 GOTS/SOLDATOV 4
W?
ZERONIGHTS 2012 GOTS/SOLDATOV 5
INFOSECURITY DEPT. HAS TO
• Write corporate regulations
• Make assessments (compliance &/| pentest)
• Monitor logs!
ZERONIGHTS 2012 GOTS/SOLDATOV 6
INFOSECURITY DEPT. HAS TO
• Write corporate regulations
• Make assessments (compliance &/| pentest)
• Monitor logs!
ZERONIGHTS 2012 GOTS/SOLDATOV 7
ATTACK STAGES
• Information gathering
• Passive learning
• Active learning
• Obtaining access
• Maintaining access
• Erasing evidence
ZERONIGHTS 2012 GOTS/SOLDATOV 8
FISHING
• Firewall/UTM/… :-)
• IDS/IPS
• Commercial
• Opensource/free
• Log analysis
• Commercial
• Opensource/free
ZERONIGHTS 2012 GOTS/SOLDATOV 9
WHAT’S HAPPENING WHEN ONE’S BREAKING
• Use or modification of privileged accounts
• Configuration modification
• Unusual activity
• New services or applications
ZERONIGHTS 2012 GOTS/SOLDATOV 10
TOOL DEPLOYMENT
ZERONIGHTS 2012 GOTS/SOLDATOV 11
RECOMMENDED LIST OF EVENTS
ZERONIGHTS 2012 GOTS/SOLDATOV 12
• Pros:
• Microsoft recommends
• Cons:
• Huge amount of data
• Fun:
RECOMMENDED LIST OF EVENTS
ZERONIGHTS 2012 GOTS/SOLDATOV 13
• Pros:
• Microsoft recommends
• Cons:
• Huge amount of data
• Fun:
“IMPROVEMENTS” FOR MICROSOFT GUIDE
• Admin logon from unusual place
• Admin logon at unusual time
• From one IP by different accounts
• Lock >1 accounts from one IP
• Password/Hash dump
• Run system commands
…
ZERONIGHTS 2012 GOTS/SOLDATOV 14
• Pros:
• More AI
• Cons:
• Need time
UNIVERSAL METHODS
• Start a service
(windows)
• Events (almost) never
seen before
ZERONIGHTS 2012 GOTS/SOLDATOV 15
• Pros:
• Much more AI
• Cons:
• 100% we’ve
forgotten smth.
CONDITIONS
• OS default
configuration
• Up2date AV is up
and running
• OS (almost) up2date
ZERONIGHTS 2012 GOTS/SOLDATOV 16
• Tested tools:
• fgdump
• pwdump
• pwdumpx
• metasploit
• wce
• mimikatz
NEVER SEEN BEFORE EVENTS
• Approaches
• Timeout for statistic collection (up to 24 hours)
• Complex filtering (by criteria)
• Risks
• Server restart in case of intrusion
• Intrusion during statistic gathering
• Complex configuration
• Details of event happening
ZERONIGHTS 2012 GOTS/SOLDATOV 17
NEVER SEEN BEFORE EVENTS (RULE FOR SEC.PL)
ZERONIGHTS 2012 GOTS/SOLDATOV 18
ZERONIGHTS 2012 GOTS/SOLDATOV 19
FGDUMP (REMOTE)
PWDUMP6 (REMOTE)
ZERONIGHTS 2012 GOTS/SOLDATOV 20
PWDUMPX (REMOTE)
ZERONIGHTS 2012 GOTS/SOLDATOV 21
METASPLOIT
ZERONIGHTS 2012 GOTS/SOLDATOV 22
ZERONIGHTS 2012 GOTS/SOLDATOV 23
WCE (LOCAL)
BUT
ZERONIGHTS 2012 GOTS/SOLDATOV 24
BUT
ZERONIGHTS 2012 GOTS/SOLDATOV 25
BUT
ZERONIGHTS 2012 GOTS/SOLDATOV 26
BUT
ZERONIGHTS 2012 GOTS/SOLDATOV 27
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 28
… and NO LOGS!
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 29
… and NO LOGS!
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 30
… and NO LOGS!
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 31
… and NO LOGS!
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 32
… and NO LOGS!
DETECTION
ZERONIGHTS 2012 GOTS/SOLDATOV 33
HOPE, READY TO ANSWER YOUR QUESTIONS….
Thanks for Your attention!
Igor Gots
Sergey Soldatov
reply-to-all.blogspot.com
ZERONIGHTS 2012 GOTS/SOLDATOV 34