Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows Advance Threats - BSides Amman 2019

Learn how to hack Windows machines and reveal the password of the domain admin by hacking into the memory and Windows Services. This is Level 400 content with a lot of demos and it covers many security technologies like machine learning, post-breach defensive and pre-preach defensive controls.

I presented this session in the first BSides Security conference in Amman-Jordan and I am sharing the slides as requested by the audience.
I am also going to post the full video on my Youtube Channel: , so, don't forget to subscribe.
I would like to hear your feedback on my session, so please connect with me on twitter @ammarhasayen and let me know what do you think.

About me:
Social Media (Twiiter, LinkedIn, Instagram): @ammarhasayen

Windows Advanced Threat and Defensive Technique

  • Login to see the comments

Windows Advance Threats - BSides Amman 2019

  1. 1. Presented by: Ammar Hasayen | MS MVP CISSP | Cybersecurity ADVANCED WINDOWS THREATS & DEFENSIVE TECHNIQUES BSides Amman - ASU Date: 20 April 2019 Available on SlideShare & YouTube @ammarhasaye n
  2. 2. About Me: Blog: Social Media: @ammarhasayen CISSP | Microsoft MVP | Pluralsight Author | Book Author
  3. 3. IN THIS PRESENTATI ON Attacking Windows Services – Stopping the Antivirus service – Hacking service accounts running under domain admin account. Attacking Passwords – Hacking the built-in admin password – Pass-the-hash attack Cyber Kill Chain – Endpoint Detect & Response • Microsoft Defender ATP – Behavioral-based Detection • Azure ATP
  5. 5. DEMO Look at the antivirus service and see if we can stop it. Hack the antivirus service and stop it
  6. 6. DEMO Inspect a Windows service running under domain admin account Hack the password of the domain admin account
  7. 7. Windows Service Account best Practices Never use highly privileged accounts (domain admin) to run services in your environment. As a best practice, user Managed Service Accounts to run your Windows services. Mind the principle of Least Privilege. If the attacker gets privileged access to the machine, everything on that machine is compromised (even if you have Antivirus)
  8. 8. DEMO REFERENCES • SDDL for Device Objects • SID Strings • PsExec Tool (used to impersonate Local System Account in the demo) • Service Account Password Dumper: SPAD • Managed Service Accounts (MSA) understanding-implementing-best-practices-and-troubleshooting/
  10. 10. DEMO Hacking password in memory Stealing the hash of the local admin Using Pass-the-hash to connect to another machine - Obtain CMD.EXE access - Access sensitive information
  11. 11. Lesson Learned Debug Privilege right should be monitored. Users should not be admin on their machine (least privilege) You should not have same local administrator password on machines. - Use Microsoft Local Administrator Password Solution (LAPS) Use separate machines for admins by implementing the Privilege Admin Workstation solution (PAW) Consider disabling the local Guest and Administrator accounts
  12. 12. DEMO REFERENCES • Microsoft Local Administrator Password Solution us/download/details.aspx?id=46899 • Privileged Access Workstations access/privileged-access-workstations • PsExec Tool used to connect to the target machine
  14. 14. Cyber Kill Chain Malware Deliver Install Command & Control Pre Breach Post Breach Lateral Movement Staging Exfiltration Forensics Advanced Threat Detection (Classification) Anomaly Detection Signature & Packet Filters Heuristics, Sandboxes & Stateful Filters Machine LearningMachine Learning
  15. 15. Endpoint Detect & Response  Installs on the endpoint (workstation or server).  Uses AI-based detection techniques (mainly using classification).  Using the power of the cloud.  Tries to identify zero-day attacks using machine learning.  Microsoft implement Microsoft Defender ATP.
  16. 16. Microsoft Defender ATP Windows Defender Endpoint Detection and Response Windows Defender Endpoint Protection Windows Defender Smart Screen Block malicious websites Block low reputation web downloads Monitors behaviors and terminates bad processes Block malicious programs and content After execution – Windows Defender Hexadite can reverse damage After execution – Windows Defender ATP monitors for post-breach signals Endpoint Protection Detection and Remediation
  17. 17. Advanced Real-Time Defense Client holds file and upload sample Sample is processed & checked against machine learning classifiers Cloud generates signature and sends to client Client blocks file and report back, protecting all customers 1 2 3 4 5 6
  18. 18. Machine Learning for Endpoint Protection Local ML models, behavior-based detection algorithms, generics and heuristics Metadata-based ML models Sample Analysis-based ML models Detonation-based ML Models Big Data Analysis Client Cloud Milliseconds Milliseconds Seconds Minutes Hours
  19. 19. DEMO Simulate an attack - Delivering malware to a machine - Document drops backdoor - Malware creates schedule task (auto- start) - Detect attack on Microsoft ATP - Explore response actions Exploring Microsoft Defender ATP portal
  20. 20. Anomaly Detection (Un Supervised)
  21. 21. Behavioral-based Detection  Happens Post Breach (Lateral Movement).  Identifies anomalies in the network.  Can be seen in IDS, IPS or other type of implementations.  Microsoft implements Azure Advanced Threat Protection (Azure ATP) formally known as ATA.
  22. 22. Azure ATP Security Expert Users Groups Machines Machine? Logon Hours? Sensitive? Peers? Resources?
  23. 23. Azure ATP Detecting Unusual Behaviour Azure ATP Machine? Logon Hours? Sensitive? Peers? Resources? Alice CFO Machine
  24. 24. Azure ATP Detecting Unusual Behavior Azure ATP Machine? Logon Hours? Sensitive? Peers? Resources? Alice Finance Files
  25. 25. Azure Advanced Threat Protection 1 2 4 53 Collect DC Logs, SIEM, Windows Events. L7 Deep Packet Inspection Analyze & Learn Self-learning and profiling technology, patented IP resolution, unlimited scale by Azure Alert & Investigate Intuitive attack timeline. Lateral movement graphs. Alert via email & scheduled reports. Detect Abnormal behavior & Suspicious activities Integrate Integrated with Windows Defender ATP to further dig deep into the device health.
  26. 26. DEMO REFERENCES • Cyber Kill Chain july2017.pdf • Microsoft Defender ATP • Azure Advanced Threat Protection (Azure ATP)
  27. 27. SUMMAR Y Windows service account best attacks and defensive techniques Attacking passwords in memory – Pass-the-hash – Same local admin password risk Cyber kill chain – Pre-breach endpoint detection • Microsoft Defender ATP – Post-breach detection • Azure ATP
  28. 28. REFERENCES • Introduction to Azure Advanced Threat Protection (Azure ATP) • Secure Modern Workplace With Microsoft ATP threat-protection/ • My YouTube Video on Microsoft ATP • Microsoft Cloud App Security
  29. 29. YOU CAN ACCESS THE SLIDES FROM SlideShare @ammarhasayen
  33. 33. CONNECT ON SOCIAL MEDIA @ammarhasayen
  36. 36. CREDIT I want to thank BSides Amman community in Jordan for having me as a speaker in the first version of this conference. Special thanks to Layla Al-Zoubi for recommending my name as a speaker. Big thanks to all the great audience who gave me amazing feedback and encourage me to share my slide and record a YouTube video for offline viewing. Thanks to all sponsors who make this event a professional conference in terms of facilities, media coverage and organization. I would encourage people to follow BSides Amman on social media (@BSidesAmman) and follow their Facebook page for future events to come. Note: Some demos are inspired from Paula J , CQURE.
  37. 37. PHOTO ALBUM Bsides Amman 2019
  38. 38. PHOTO ALBUM Bsides Amman 2019
  39. 39. COPYRIGHT STATEMENT I want to help you share knowledge and creativity, to build a more equitable, accessible, and innovative world, by unlocking the potential of the internet to drive new era of development, growth and productivity. This is why I provide you with my copyright license, to make it easy for you to share and use creative work on simple terms and conditions. This license lets you remix, tweak, and build upon my work non-commercially, as long as you credit me and license your new creations under the identical terms. Attribution-NonCommercial-ShareAlike