SlideShare a Scribd company logo
1 of 30
Download to read offline
NIC 2017 - Attack and detection in Windows Environments
Attack & Detection in Windows
Environments
WHOAMI /ALL
• Chief Technical Architect – Microsoft Security
• Most Valuable Professional
• Microsoft Certified Trainer
• Giac Certified Penetration Tester
• Microsoft infrastructure and security expert
(security researcher)
• 15 years+ with Microsoft technology
• http://oddvar.moe
• I like memes and gifs
@oddvarmoe
My favorite Hollywood hack scene
My goal with this session
• Give examples on real world attacks
• Show my favorite external attacks
• NTLM hash
• Phishing mail
• OWA rules
• Show Internal reconnaissance
• Counter measures and detection methods
• Think Assume Breach!
@oddvarmoe
Who is attacking?
• 2 types of attackers
@oddvarmoe
VISIBLE
ATTACKERS
INVISIBLE
ATTACKERS
Attack methodology
• Open Source Intelligence
• Homepage – metadata
• Social medias
• Password dumps
• Google dorks
• Shodan
@oddvarmoe
• Social engineering and Spear
Phishing
• Drive By Attacks
• Brute force / Wordlist
• Exploiting External servers
• Alternate attack paths
• 3.party
Attackers goal
• Steal Intellectual property
• Abuse infrastructure
• Strategic goal
• Disclose
• Great example: Phineas Fisher -Hacking team - 2015
• http://pastebin.com/0SNSvyjJ
• https://www.youtube.com/watch?v=BpyCl1Qm6Xs
@oddvarmoe
Attack kill chain
• Average 140 days
Open source intelligence
Disclaimer: Accounts used in the following
slides are just examples. Its illegal to use
this information to logon.
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
http://haveibeenpwned.com
Other open source intelligence resources
SHODAN.IO
Other open source intelligence resources
DNSDUMPSTER.COM
@oddvarmoe
Other open source intelligence resources
Google and pastebin
• "site:pastebin.com | site:paste2.org |
site:paste.bradleygill.com | site:pastie.org |
site:dpaste.com | site:paste.pocoo.org |
site:pastie.textmate.org | site:slexy.org"
intext:domainame.com
@oddvarmoe
Other open source intelligence resources
SCRAPING HOMEPAGE - FOCA
@oddvarmoe
Attack demos
• Gain access:
• NTLM hash from picture
• Sending attachments
• Using OWA
• Escalate privileges:
• Scan for local admin rights on other machines
• Place LNK on share
• Look through shares
• Persistence
@oddvarmoe
Red Team Tool – Powershell Empire
• Shoutout to
• Will Schroeder - @harmj0y
• Justin Warner - @sixdub
• Matt Nelson - @enigma0x3
• www.powershellempire.com
@oddvarmoe
DEMO – Gaining Access
@oddvarmoe
Preventing these attacks
• OWA – use MFA
• Attachments on mail
• Enable extra protection in GPO
• https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-
2016-can-block-macros-and-help-prevent-infection/
• AppLocker/Device Guard
• Lock down shares
• Local admin
• Client to client communication
• Make internet great again and block 445
• Net cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-
1e8dcb5b
• Test your security – You test your backup don’t you?
@oddvarmoe
Detecting the attacks
• Windows Defender ATP
• Windows Advanced Threat Analytics
• User Behavior
• Exchange Online ATP
• Do a hunt
• Cimsweep is nice: https://github.com/PowerShellMafia/CimSweep
• Tripwire or Sysmon
• More logging! https://adsecurity.org/?p=3377
• IDS / IPS
• SIEM / OMS
@oddvarmoe
DEMO – Detection
@oddvarmoe
SUMMARY
• Assume breach
• Harden your stuff
• Get detection going
• Test your security
• Educate end users
• Do regular hunting
@oddvarmoe
THANKS FOR
YOUR TIME
http://oddvar.moe
Don’t be like
Trump
Give me a
green card
when you exit

More Related Content

What's hot

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
How To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb DriveHow To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb Drivekriggins
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)Shubham Gupta
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
MR201504 Web Defacing Attacks Targeting WordPress
MR201504 Web Defacing Attacks Targeting WordPressMR201504 Web Defacing Attacks Targeting WordPress
MR201504 Web Defacing Attacks Targeting WordPressFFRI, Inc.
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016Ömer Çıtak
 

What's hot (20)

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 
How To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb DriveHow To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb Drive
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
MR201504 Web Defacing Attacks Targeting WordPress
MR201504 Web Defacing Attacks Targeting WordPressMR201504 Web Defacing Attacks Targeting WordPress
MR201504 Web Defacing Attacks Targeting WordPress
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
 

Similar to NIC 2017 - Attack and detection in Windows Environments

Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationJoshua Prince
 
SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to HeroOWASP Khartoum
 
Ethical Hacking Redefined
Ethical Hacking RedefinedEthical Hacking Redefined
Ethical Hacking RedefinedPawan Patil
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfgcara4
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 

Similar to NIC 2017 - Attack and detection in Windows Environments (20)

Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to Hero
 
Ethical Hacking Redefined
Ethical Hacking RedefinedEthical Hacking Redefined
Ethical Hacking Redefined
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
 
Cryptolocker
Cryptolocker Cryptolocker
Cryptolocker
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 

More from Oddvar Moe

Hva avanserte hackere gjør for å få tilgang - Publisert.pptx
Hva avanserte hackere gjør for å få tilgang - Publisert.pptxHva avanserte hackere gjør for å få tilgang - Publisert.pptx
Hva avanserte hackere gjør for å få tilgang - Publisert.pptxOddvar Moe
 
Red teaming and war stories
Red teaming and war storiesRed teaming and war stories
Red teaming and war storiesOddvar Moe
 
Enkel og effektiv herding av windows
Enkel og effektiv herding av windowsEnkel og effektiv herding av windows
Enkel og effektiv herding av windowsOddvar Moe
 
Phishing past mail protection controls using azure information
Phishing past mail protection controls using azure informationPhishing past mail protection controls using azure information
Phishing past mail protection controls using azure informationOddvar Moe
 
App-o-Lockalypse now!
App-o-Lockalypse now!App-o-Lockalypse now!
App-o-Lockalypse now!Oddvar Moe
 
#Lolbins - Nothing to LOL about!
#Lolbins - Nothing to LOL about!#Lolbins - Nothing to LOL about!
#Lolbins - Nothing to LOL about!Oddvar Moe
 
Windows binærfiler
Windows binærfilerWindows binærfiler
Windows binærfilerOddvar Moe
 
Angrep og deteksjon user group 22.september
Angrep og deteksjon   user group 22.septemberAngrep og deteksjon   user group 22.september
Angrep og deteksjon user group 22.septemberOddvar Moe
 

More from Oddvar Moe (8)

Hva avanserte hackere gjør for å få tilgang - Publisert.pptx
Hva avanserte hackere gjør for å få tilgang - Publisert.pptxHva avanserte hackere gjør for å få tilgang - Publisert.pptx
Hva avanserte hackere gjør for å få tilgang - Publisert.pptx
 
Red teaming and war stories
Red teaming and war storiesRed teaming and war stories
Red teaming and war stories
 
Enkel og effektiv herding av windows
Enkel og effektiv herding av windowsEnkel og effektiv herding av windows
Enkel og effektiv herding av windows
 
Phishing past mail protection controls using azure information
Phishing past mail protection controls using azure informationPhishing past mail protection controls using azure information
Phishing past mail protection controls using azure information
 
App-o-Lockalypse now!
App-o-Lockalypse now!App-o-Lockalypse now!
App-o-Lockalypse now!
 
#Lolbins - Nothing to LOL about!
#Lolbins - Nothing to LOL about!#Lolbins - Nothing to LOL about!
#Lolbins - Nothing to LOL about!
 
Windows binærfiler
Windows binærfilerWindows binærfiler
Windows binærfiler
 
Angrep og deteksjon user group 22.september
Angrep og deteksjon   user group 22.septemberAngrep og deteksjon   user group 22.september
Angrep og deteksjon user group 22.september
 

Recently uploaded

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Recently uploaded (20)

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

NIC 2017 - Attack and detection in Windows Environments

  • 2. Attack & Detection in Windows Environments
  • 3. WHOAMI /ALL • Chief Technical Architect – Microsoft Security • Most Valuable Professional • Microsoft Certified Trainer • Giac Certified Penetration Tester • Microsoft infrastructure and security expert (security researcher) • 15 years+ with Microsoft technology • http://oddvar.moe • I like memes and gifs @oddvarmoe
  • 5. My goal with this session • Give examples on real world attacks • Show my favorite external attacks • NTLM hash • Phishing mail • OWA rules • Show Internal reconnaissance • Counter measures and detection methods • Think Assume Breach! @oddvarmoe
  • 6. Who is attacking? • 2 types of attackers @oddvarmoe VISIBLE ATTACKERS INVISIBLE ATTACKERS
  • 7. Attack methodology • Open Source Intelligence • Homepage – metadata • Social medias • Password dumps • Google dorks • Shodan @oddvarmoe • Social engineering and Spear Phishing • Drive By Attacks • Brute force / Wordlist • Exploiting External servers • Alternate attack paths • 3.party
  • 8. Attackers goal • Steal Intellectual property • Abuse infrastructure • Strategic goal • Disclose • Great example: Phineas Fisher -Hacking team - 2015 • http://pastebin.com/0SNSvyjJ • https://www.youtube.com/watch?v=BpyCl1Qm6Xs @oddvarmoe
  • 9. Attack kill chain • Average 140 days
  • 10. Open source intelligence Disclaimer: Accounts used in the following slides are just examples. Its illegal to use this information to logon. @oddvarmoe
  • 18. Other open source intelligence resources SHODAN.IO
  • 19. Other open source intelligence resources DNSDUMPSTER.COM @oddvarmoe
  • 20. Other open source intelligence resources Google and pastebin • "site:pastebin.com | site:paste2.org | site:paste.bradleygill.com | site:pastie.org | site:dpaste.com | site:paste.pocoo.org | site:pastie.textmate.org | site:slexy.org" intext:domainame.com @oddvarmoe
  • 21. Other open source intelligence resources SCRAPING HOMEPAGE - FOCA @oddvarmoe
  • 22. Attack demos • Gain access: • NTLM hash from picture • Sending attachments • Using OWA • Escalate privileges: • Scan for local admin rights on other machines • Place LNK on share • Look through shares • Persistence @oddvarmoe
  • 23. Red Team Tool – Powershell Empire • Shoutout to • Will Schroeder - @harmj0y • Justin Warner - @sixdub • Matt Nelson - @enigma0x3 • www.powershellempire.com @oddvarmoe
  • 24. DEMO – Gaining Access @oddvarmoe
  • 25. Preventing these attacks • OWA – use MFA • Attachments on mail • Enable extra protection in GPO • https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office- 2016-can-block-macros-and-help-prevent-infection/ • AppLocker/Device Guard • Lock down shares • Local admin • Client to client communication • Make internet great again and block 445 • Net cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net- 1e8dcb5b • Test your security – You test your backup don’t you? @oddvarmoe
  • 26. Detecting the attacks • Windows Defender ATP • Windows Advanced Threat Analytics • User Behavior • Exchange Online ATP • Do a hunt • Cimsweep is nice: https://github.com/PowerShellMafia/CimSweep • Tripwire or Sysmon • More logging! https://adsecurity.org/?p=3377 • IDS / IPS • SIEM / OMS @oddvarmoe
  • 28. SUMMARY • Assume breach • Harden your stuff • Get detection going • Test your security • Educate end users • Do regular hunting @oddvarmoe
  • 30. Don’t be like Trump Give me a green card when you exit

Editor's Notes

  1. 23min hit