SlideShare a Scribd company logo

The Pivot

Priyanka Aash
Priyanka Aash

In today’s threat landscape, the attacker is an insider. Whether a state-sponsored actor or cybercriminal, attackers typically first compromise the endpoint with a client-side exploit and then pivot. In this session, we take a deep dive into how attackers pivot through organizations, identify the telltale signs of a pivot, and most importantly, identify steps for defending against it. (Source: RSA USA 2016-San Francisco)

Technology
1 of 44
Download to read offline
SESSION ID: #RSAC Jonathan Trull The Pivot AIR-F02 Office of the CISO Optiv @jonathantrull
Presenter’s Company Logo – replace on master slide #RSAC The Pivot 2 Pivot (verb): to move or turn from a central point
Presenter’s Company Logo – replace on master slide #RSAC Dwell Time 3 APT1 356 APT1 maintained access to victim networks for an average of 356 days 205 Dwell Time Attackers had free reign of victim networks for 205 days in 2015
Presenter’s Company Logo – replace on master slide #RSAC Detection Deficit 4 Source: 2015 Verizon Data Breach Report 60% of cases Attackers are able to compromise an organization within minutes Spread from Victim 0 to Victim 1 within one day (24 hours) 75% of attacks
Presenter’s Company Logo – replace on master slide #RSAC Time is not on your side 5 50 percent of users open emails and click on phishing links within the first hour 1 minute and 22 seconds – Median time to first click Half of CVEs exploited from publish to pwn in less than a month
Presenter’s Company Logo – replace on master slide #RSAC Session Objectives 6 How attackers pivot and move laterally through an organization How to identify the telltale signs of a pivot Identify the steps to defend against it
#RSAC How Attackers Pivot and Move Laterally 7
Presenter’s Company Logo – replace on master slide #RSAC Attacker Lifecycle 8 Observe Orient Decide Act
Presenter’s Company Logo – replace on master slide #RSAC Optiv Simulated Attack Lifecycle 9 Stages Use Cases Code Execution UC-01.003: Host Exploit Flash CVE-2014-0497 UC-02.001: Malware Installation Zeus UC-02.002: Malware Installation Custom (Veil AES) UC-02.004: Malware Installation Custom (Excel Macro) UC-02.008: Disrupt Security Software UC-02.009: Persistence Lateral Movement UC-02.010: Install Tools UC-03.001: Credential Theft UC-04.001: Lateral Movement Reconnaissance UC-04.002: Lateral Movement Malware Installation Exfiltrate Data UC-05.001: Data Exfiltration Zeus UC-05.002: Data Exfiltration UC-06.001: Cover Tracks
Presenter’s Company Logo – replace on master slide #RSAC Story of a Hack 10 Medium-sized Pharmaceutical Company • Significant R&D • Microsoft environment
Presenter’s Company Logo – replace on master slide #RSAC Patient Zero 11 Windows 7 Enterprise Desktop • User running with local administrator privileges • Spear phishing email / Link to watering hole
Presenter’s Company Logo – replace on master slide #RSAC We don’t need no stinking badges 12 After initial compromise, attackers are leveraging native tools: • cmd.exe • Powershell scripts • at.exe • Net use • WMI Compromised credentials are commonly used during pivot: • Mimikatz • wce
#RSAC Signs of a Pivot (Indicators of Pivot or IOPs) 13
Presenter’s Company Logo – replace on master slide #RSAC Indicators on Two or More Machines 14 Source Network Artifacts / Logs Artifacts / Logs Artifacts / Logs Destination
Presenter’s Company Logo – replace on master slide #RSAC Recon Stage 15 • whoami • net view /domain • net users • net group “Domain Admins” / <domain > • net view /domain:<Domain Name> Open PortsSessions and Open Shares Domains, Users and Systems • net session • net file • Ping • FPORT
Presenter’s Company Logo – replace on master slide #RSAC Remote Code Execution 16 • Scheduled Tasks • at.exe • WMI • PowerShell • Remote Desktop (RDP) Third-Party ToolsNative Tools • SysInternals PsExec • Netcat • Metasploit
Presenter’s Company Logo – replace on master slide #RSAC Remote Code Execution Examples 17 Windows Management Instrumentation (WMI): • wmic /domain:host process call create “c:rootkit.exe” Powershell • Invoke-Command host {c:rootkit.exe} SysInternals PsExec • Psexec host -e c:rootkit.exe
Presenter’s Company Logo – replace on master slide #RSAC Mapping Shares 18 Allows for limited interaction with destination host for attacker However, share may contain valuable data Usage: • Map Network Drive wizard • CLI -> net use z: hostdrive /user <username> <password>
Presenter’s Company Logo – replace on master slide #RSAC Scheduled Tasks 19 at.exe or schtasks.exe creates tasks on local or remote host Typically used to remotely execute malware or other malicious tools Requires admin privileges Runs under context of SYSTEM
Presenter’s Company Logo – replace on master slide #RSAC Windows Event Logs Native logging of security, system and application events Requires further configuration to be useful for detecting IOPs Location: %systemroot%System32winevtLogs*.evtx Microsoft Event Viewer
Presenter’s Company Logo – replace on master slide #RSAC Windows Account Usage 21 ID Level Event Log Event Source Account Lockouts 4740 Informational Security Microsoft-Windows-Security-Auditing User Added to Privileged Group 4728, 4732, 4756 Informational Security Microsoft-Windows-Security-Auditing Security-Enabled Group Modification 4735 Informational Security Microsoft-Windows-Security-Auditing Successful User Account Login 4624 Informational Security Microsoft-Windows-Security-Auditing Failed User Account Login 4625 Informational Security Microsoft-Windows-Security-Auditing Account Login with Explicit Credentials 4648 Informational Security Microsoft-Windows-Security-Auditing
Presenter’s Company Logo – replace on master slide #RSAC Windows Logon Types 22 Type Code Example Type Code Example Interactive 2 At the console of a computer NetworkCleartext 8 Similar to network logons but in clear text Network Logons 3 Connections to shared folders or printers NewCredentials 9 RunAs used to start program under different user account Batch 4 Scheduled tasks Remoteinteractive 10 RDP, terminal services, remote assistance Service 5 Windows service started CacheInteractive 11 Remote logon with domain account Unlock 7 Unlock computer screen
Presenter’s Company Logo – replace on master slide #RSAC Process Creation 23 Event ID 4688: A new process has been created Documents each program that is executed, who the program ran as and the process that started this process Disabled by default: • Enable by editing GPO • Policy location: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking Missing process command line arguments by default • Enable via GPO – “Include command line in process creation events”
Presenter’s Company Logo – replace on master slide #RSAC Created Process with Command Line 24
Presenter’s Company Logo – replace on master slide #RSAC Prefetch Files 25 Introduced in Windows XP Designed to speed up application startup processes Location: %systemroot%prefetch*.pf Contain name of the executable, Unicode list of DLLs used, count of times .exe run, and timestamp indicating last run time
Presenter’s Company Logo – replace on master slide #RSAC Viewing Pre-fetch Files 26
Presenter’s Company Logo – replace on master slide #RSAC Scheduled Tasks 27 Source Prefetch files of program execution => at.exe or schtasks.exe Destination Service being started => Event ID 7035/7036
Presenter’s Company Logo – replace on master slide #RSAC Windows Special Groups 28 Event ID 4964 Introduced in Windows 2008 Use to track logon of particular accounts on systems
Presenter’s Company Logo – replace on master slide #RSAC IOP #1 – Successful PtH 29 Event ID Event Log Level Logon Type Auth Package 4624 Security Informational 3 NTLM View filter -> Not a domain logon and not the ANONYMOUS LOGON account
Presenter’s Company Logo – replace on master slide #RSAC IOP #2 – Failed PtH 30 Event ID Event Log Level Logon Type Auth. Package 4625 Security Informational 3 NTLM View Filter -> Not a domain logon and not the ANONYMOUS LOGON account
Presenter’s Company Logo – replace on master slide #RSAC IOP #3 – New Scheduled Task 31 • Alert on new Event ID 7035 created by at[#].exe
Presenter’s Company Logo – replace on master slide #RSAC IOP # 4 – Privilege Escalation 32 Alarm on login from non-workstation host to another non-workstation host Alarm on login from one workstation to another workstation Alarm on login attempts using known service accounts Alarm on creation of new domain admin account or elevation of account
#RSAC Defending the Pivot
Presenter’s Company Logo – replace on master slide #RSAC Levels of Defense 34 100,000 Foot View • Layered preventive and detective controls • IOP hunting • User behavior analytics • Configure auditing / EDR or Sysmon • Honeypot deployment In the Weeds • Remove / restrict use of Powershell on endpoints • Look for IOP artifacts at the host and network levels • Mitigate Pass-the-Hash attacks
Presenter’s Company Logo – replace on master slide #RSAC Optiv Research Methodology 35 We selected seven solutions that span across all endpoint categories The endpoint product was the only point of defense All endpoints were unpatched and vulnerable to the selected attacks Goal was to compare and contrast results from different types of endpoint solutions
Presenter’s Company Logo – replace on master slide #RSAC Types of Solutions Tested 36 Endpoint Protection Platform (EPP) Exploitation Mitigation Endpoint Detection and Response (EDR) EDR and App Control
Presenter’s Company Logo – replace on master slide #RSAC Testing Highlights 37 Lateral Movement • No silver bullets • Look for odd usage of scripts • Use threat modeling to identify how attackers would pivot through your network and build detection rules to identify IOPs • Leverage Windows event logs and timeline analysis • Control user-to-user communication and powershell script execution • Use enhanced authentication (OTP/2fa) for domain admin accounts • Implement mitigation strategies for Pass-the-Hash attacks
Presenter’s Company Logo – replace on master slide #RSAC Detailed Results 38 Endpoint Protection Platform Anti- Exploitation EDR + App Control EDR Use Case Vendor # 1 Vendor # 2 Vendor # 3 Vendor # 4 Vendor # 5 Vendor # 6 Vendor # 7 UC-02.010: Install Tools Pass Pass Pass Fail Partial Fail Partial UC-03.001: Credential Theft Partial Partial Partial Fail Partial Fail Partial UC-04.001: Lateral Movement Reconnaissance Fail Fail Fail Fail Partial Fail Partial UC-04.002: Lateral Movement Malware Installation Pass Fail Pass Pass Partial Partial Partial
Presenter’s Company Logo – replace on master slide #RSAC Enable Sufficient Logging 39 Sysmon EDR Audit policy configuration
Presenter’s Company Logo – replace on master slide #RSAC Central Logging and Analysis 40 SIEM
Presenter’s Company Logo – replace on master slide #RSAC Honeypots 41
Presenter’s Company Logo – replace on master slide #RSAC For More Detailed Information 42 www.secopslabs.com
Presenter’s Company Logo – replace on master slide #RSAC Apply What You Have Learned Today! 43 Next week you should: • Ensure sufficient logging is enabled to detect IOPs • Develop a detailed threat model for how attackers would pivot through your organization to gain access to your crown jewels In the first three months following this presentation you should: • Perform daily IOP hunting on your endpoints using either an EDR solution or Microsoft event logs • Deploy honeypots to the DMZ and user and server subnets Within six months you should: • Implement enhanced authentication for domain admin accounts and pass-the-hash mitigation strategies
Presenter’s Company Logo – replace on master slide #RSAC References 44 www.ultimatewindowssecurity.com https://technet.microsoft.com/security/advisory/3004375 http://sysforensics.org/2014/01/lateral-movement/ www.optiv.com http://windowsir.blogspot.com/2013/07/howto-track-lateral- movement.html https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_wind ows_event_log_monitoring.pdf

Recommended

technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
Muhammad Denis Iqbal
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Рабочие нагрузки Skype for business 2015 UC Lab
Рабочие нагрузки Skype for business 2015 UC LabРабочие нагрузки Skype for business 2015 UC Lab
Рабочие нагрузки Skype for business 2015 UC Lab
UC2
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Priyanka Aash
 

Recommended

technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
Muhammad Denis Iqbal
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Рабочие нагрузки Skype for business 2015 UC Lab
Рабочие нагрузки Skype for business 2015 UC LabРабочие нагрузки Skype for business 2015 UC Lab
Рабочие нагрузки Skype for business 2015 UC Lab
UC2
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Priyanka Aash
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudHumans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Priyanka Aash
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Priyanka Aash
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
RootedCON
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
Arpan Raval
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windows
Arpan Raval
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization Security
Rapid7
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - January
Infocyte
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
Infocyte
 
Hands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourHands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided Tour
Splunk
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 

More Related Content

What's hot

An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - January
Infocyte
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
Infocyte
 

What's hot (20)

Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudHumans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windows
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization Security
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - January
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Hands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourHands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided Tour
 

Similar to The Pivot

str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
peter lam
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
Mario-Leander Reimer
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
QAware GmbH
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Cisco DevNet
 

Similar to The Pivot (20)

I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
 
Open Source in Security-Critical Environments
Open Source in Security-Critical EnvironmentsOpen Source in Security-Critical Environments
Open Source in Security-Critical Environments
 
Open source-in-security-critical-environments
Open source-in-security-critical-environmentsOpen source-in-security-critical-environments
Open source-in-security-critical-environments
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
 
Critical hygiene for preventing major breaches
Critical hygiene for preventing major breachesCritical hygiene for preventing major breaches
Critical hygiene for preventing major breaches
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

The Pivot

  • 1. SESSION ID: #RSAC Jonathan Trull The Pivot AIR-F02 Office of the CISO Optiv @jonathantrull
  • 2. Presenter’s Company Logo – replace on master slide #RSAC The Pivot 2 Pivot (verb): to move or turn from a central point
  • 3. Presenter’s Company Logo – replace on master slide #RSAC Dwell Time 3 APT1 356 APT1 maintained access to victim networks for an average of 356 days 205 Dwell Time Attackers had free reign of victim networks for 205 days in 2015
  • 4. Presenter’s Company Logo – replace on master slide #RSAC Detection Deficit 4 Source: 2015 Verizon Data Breach Report 60% of cases Attackers are able to compromise an organization within minutes Spread from Victim 0 to Victim 1 within one day (24 hours) 75% of attacks
  • 5. Presenter’s Company Logo – replace on master slide #RSAC Time is not on your side 5 50 percent of users open emails and click on phishing links within the first hour 1 minute and 22 seconds – Median time to first click Half of CVEs exploited from publish to pwn in less than a month
  • 6. Presenter’s Company Logo – replace on master slide #RSAC Session Objectives 6 How attackers pivot and move laterally through an organization How to identify the telltale signs of a pivot Identify the steps to defend against it
  • 7. #RSAC How Attackers Pivot and Move Laterally 7
  • 8. Presenter’s Company Logo – replace on master slide #RSAC Attacker Lifecycle 8 Observe Orient Decide Act
  • 9. Presenter’s Company Logo – replace on master slide #RSAC Optiv Simulated Attack Lifecycle 9 Stages Use Cases Code Execution UC-01.003: Host Exploit Flash CVE-2014-0497 UC-02.001: Malware Installation Zeus UC-02.002: Malware Installation Custom (Veil AES) UC-02.004: Malware Installation Custom (Excel Macro) UC-02.008: Disrupt Security Software UC-02.009: Persistence Lateral Movement UC-02.010: Install Tools UC-03.001: Credential Theft UC-04.001: Lateral Movement Reconnaissance UC-04.002: Lateral Movement Malware Installation Exfiltrate Data UC-05.001: Data Exfiltration Zeus UC-05.002: Data Exfiltration UC-06.001: Cover Tracks
  • 10. Presenter’s Company Logo – replace on master slide #RSAC Story of a Hack 10 Medium-sized Pharmaceutical Company • Significant R&D • Microsoft environment
  • 11. Presenter’s Company Logo – replace on master slide #RSAC Patient Zero 11 Windows 7 Enterprise Desktop • User running with local administrator privileges • Spear phishing email / Link to watering hole
  • 12. Presenter’s Company Logo – replace on master slide #RSAC We don’t need no stinking badges 12 After initial compromise, attackers are leveraging native tools: • cmd.exe • Powershell scripts • at.exe • Net use • WMI Compromised credentials are commonly used during pivot: • Mimikatz • wce
  • 13. #RSAC Signs of a Pivot (Indicators of Pivot or IOPs) 13
  • 14. Presenter’s Company Logo – replace on master slide #RSAC Indicators on Two or More Machines 14 Source Network Artifacts / Logs Artifacts / Logs Artifacts / Logs Destination
  • 15. Presenter’s Company Logo – replace on master slide #RSAC Recon Stage 15 • whoami • net view /domain • net users • net group “Domain Admins” / <domain > • net view /domain:<Domain Name> Open PortsSessions and Open Shares Domains, Users and Systems • net session • net file • Ping • FPORT
  • 16. Presenter’s Company Logo – replace on master slide #RSAC Remote Code Execution 16 • Scheduled Tasks • at.exe • WMI • PowerShell • Remote Desktop (RDP) Third-Party ToolsNative Tools • SysInternals PsExec • Netcat • Metasploit
  • 17. Presenter’s Company Logo – replace on master slide #RSAC Remote Code Execution Examples 17 Windows Management Instrumentation (WMI): • wmic /domain:host process call create “c:rootkit.exe” Powershell • Invoke-Command host {c:rootkit.exe} SysInternals PsExec • Psexec host -e c:rootkit.exe
  • 18. Presenter’s Company Logo – replace on master slide #RSAC Mapping Shares 18 Allows for limited interaction with destination host for attacker However, share may contain valuable data Usage: • Map Network Drive wizard • CLI -> net use z: hostdrive /user <username> <password>
  • 19. Presenter’s Company Logo – replace on master slide #RSAC Scheduled Tasks 19 at.exe or schtasks.exe creates tasks on local or remote host Typically used to remotely execute malware or other malicious tools Requires admin privileges Runs under context of SYSTEM
  • 20. Presenter’s Company Logo – replace on master slide #RSAC Windows Event Logs Native logging of security, system and application events Requires further configuration to be useful for detecting IOPs Location: %systemroot%System32winevtLogs*.evtx Microsoft Event Viewer
  • 21. Presenter’s Company Logo – replace on master slide #RSAC Windows Account Usage 21 ID Level Event Log Event Source Account Lockouts 4740 Informational Security Microsoft-Windows-Security-Auditing User Added to Privileged Group 4728, 4732, 4756 Informational Security Microsoft-Windows-Security-Auditing Security-Enabled Group Modification 4735 Informational Security Microsoft-Windows-Security-Auditing Successful User Account Login 4624 Informational Security Microsoft-Windows-Security-Auditing Failed User Account Login 4625 Informational Security Microsoft-Windows-Security-Auditing Account Login with Explicit Credentials 4648 Informational Security Microsoft-Windows-Security-Auditing
  • 22. Presenter’s Company Logo – replace on master slide #RSAC Windows Logon Types 22 Type Code Example Type Code Example Interactive 2 At the console of a computer NetworkCleartext 8 Similar to network logons but in clear text Network Logons 3 Connections to shared folders or printers NewCredentials 9 RunAs used to start program under different user account Batch 4 Scheduled tasks Remoteinteractive 10 RDP, terminal services, remote assistance Service 5 Windows service started CacheInteractive 11 Remote logon with domain account Unlock 7 Unlock computer screen
  • 23. Presenter’s Company Logo – replace on master slide #RSAC Process Creation 23 Event ID 4688: A new process has been created Documents each program that is executed, who the program ran as and the process that started this process Disabled by default: • Enable by editing GPO • Policy location: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking Missing process command line arguments by default • Enable via GPO – “Include command line in process creation events”
  • 24. Presenter’s Company Logo – replace on master slide #RSAC Created Process with Command Line 24
  • 25. Presenter’s Company Logo – replace on master slide #RSAC Prefetch Files 25 Introduced in Windows XP Designed to speed up application startup processes Location: %systemroot%prefetch*.pf Contain name of the executable, Unicode list of DLLs used, count of times .exe run, and timestamp indicating last run time
  • 26. Presenter’s Company Logo – replace on master slide #RSAC Viewing Pre-fetch Files 26
  • 27. Presenter’s Company Logo – replace on master slide #RSAC Scheduled Tasks 27 Source Prefetch files of program execution => at.exe or schtasks.exe Destination Service being started => Event ID 7035/7036
  • 28. Presenter’s Company Logo – replace on master slide #RSAC Windows Special Groups 28 Event ID 4964 Introduced in Windows 2008 Use to track logon of particular accounts on systems
  • 29. Presenter’s Company Logo – replace on master slide #RSAC IOP #1 – Successful PtH 29 Event ID Event Log Level Logon Type Auth Package 4624 Security Informational 3 NTLM View filter -> Not a domain logon and not the ANONYMOUS LOGON account
  • 30. Presenter’s Company Logo – replace on master slide #RSAC IOP #2 – Failed PtH 30 Event ID Event Log Level Logon Type Auth. Package 4625 Security Informational 3 NTLM View Filter -> Not a domain logon and not the ANONYMOUS LOGON account
  • 31. Presenter’s Company Logo – replace on master slide #RSAC IOP #3 – New Scheduled Task 31 • Alert on new Event ID 7035 created by at[#].exe
  • 32. Presenter’s Company Logo – replace on master slide #RSAC IOP # 4 – Privilege Escalation 32 Alarm on login from non-workstation host to another non-workstation host Alarm on login from one workstation to another workstation Alarm on login attempts using known service accounts Alarm on creation of new domain admin account or elevation of account
  • 34. Presenter’s Company Logo – replace on master slide #RSAC Levels of Defense 34 100,000 Foot View • Layered preventive and detective controls • IOP hunting • User behavior analytics • Configure auditing / EDR or Sysmon • Honeypot deployment In the Weeds • Remove / restrict use of Powershell on endpoints • Look for IOP artifacts at the host and network levels • Mitigate Pass-the-Hash attacks
  • 35. Presenter’s Company Logo – replace on master slide #RSAC Optiv Research Methodology 35 We selected seven solutions that span across all endpoint categories The endpoint product was the only point of defense All endpoints were unpatched and vulnerable to the selected attacks Goal was to compare and contrast results from different types of endpoint solutions
  • 36. Presenter’s Company Logo – replace on master slide #RSAC Types of Solutions Tested 36 Endpoint Protection Platform (EPP) Exploitation Mitigation Endpoint Detection and Response (EDR) EDR and App Control
  • 37. Presenter’s Company Logo – replace on master slide #RSAC Testing Highlights 37 Lateral Movement • No silver bullets • Look for odd usage of scripts • Use threat modeling to identify how attackers would pivot through your network and build detection rules to identify IOPs • Leverage Windows event logs and timeline analysis • Control user-to-user communication and powershell script execution • Use enhanced authentication (OTP/2fa) for domain admin accounts • Implement mitigation strategies for Pass-the-Hash attacks
  • 38. Presenter’s Company Logo – replace on master slide #RSAC Detailed Results 38 Endpoint Protection Platform Anti- Exploitation EDR + App Control EDR Use Case Vendor # 1 Vendor # 2 Vendor # 3 Vendor # 4 Vendor # 5 Vendor # 6 Vendor # 7 UC-02.010: Install Tools Pass Pass Pass Fail Partial Fail Partial UC-03.001: Credential Theft Partial Partial Partial Fail Partial Fail Partial UC-04.001: Lateral Movement Reconnaissance Fail Fail Fail Fail Partial Fail Partial UC-04.002: Lateral Movement Malware Installation Pass Fail Pass Pass Partial Partial Partial
  • 39. Presenter’s Company Logo – replace on master slide #RSAC Enable Sufficient Logging 39 Sysmon EDR Audit policy configuration
  • 40. Presenter’s Company Logo – replace on master slide #RSAC Central Logging and Analysis 40 SIEM
  • 41. Presenter’s Company Logo – replace on master slide #RSAC Honeypots 41
  • 42. Presenter’s Company Logo – replace on master slide #RSAC For More Detailed Information 42 www.secopslabs.com
  • 43. Presenter’s Company Logo – replace on master slide #RSAC Apply What You Have Learned Today! 43 Next week you should: • Ensure sufficient logging is enabled to detect IOPs • Develop a detailed threat model for how attackers would pivot through your organization to gain access to your crown jewels In the first three months following this presentation you should: • Perform daily IOP hunting on your endpoints using either an EDR solution or Microsoft event logs • Deploy honeypots to the DMZ and user and server subnets Within six months you should: • Implement enhanced authentication for domain admin accounts and pass-the-hash mitigation strategies
  • 44. Presenter’s Company Logo – replace on master slide #RSAC References 44 www.ultimatewindowssecurity.com https://technet.microsoft.com/security/advisory/3004375 http://sysforensics.org/2014/01/lateral-movement/ www.optiv.com http://windowsir.blogspot.com/2013/07/howto-track-lateral- movement.html https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_wind ows_event_log_monitoring.pdf