- The document discusses securing Windows NT systems by reviewing the NT security architecture, known vulnerabilities, and methods for exploiting them. It provides guidance on hardening NT security through measures like reducing unnecessary services, restricting file and registry permissions, and enforcing stronger passwords. System administrators can assess their security posture using various scanning and auditing tools to detect vulnerabilities, non-compliant configurations, and potential security breaches.
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
A walk through Windows firewall and Netsh commandsRhydham Joshi
Presentation slides explores various options of windows firewall and Netsh command line utility.
It explains about enabling logging feature for allowed/blocked logs, understanding different options for inbound and outbound connection and interpretation of logs for detecting anomalies in Windows O.S.
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
A walk through Windows firewall and Netsh commandsRhydham Joshi
Presentation slides explores various options of windows firewall and Netsh command line utility.
It explains about enabling logging feature for allowed/blocked logs, understanding different options for inbound and outbound connection and interpretation of logs for detecting anomalies in Windows O.S.
Utilización de las herramientas de búsqueda avanzadaAGROCALIDAD
Presentación en donde podras encontrar toda la información acerca del uso correcto de la busqueda avanzada en Google, asi como tambien el uso correcto de google académico y google books en busca de información.
Business Model Innovation by ExperimentationYoav Aviram
How to maximize learning and minimize risk
All new products start as a series of unvalidated assumptions. The most critical assumptions are usually implicit and relate to the purpose of the product and the value it is intended to deliver. The more key assumptions involved, the greater the risk. It is enough to have 7 key assumptions about which you are 90% certain for the combined odds of success to be below 50%.
Contrary to popular belief, when we know very little about a situation, it only takes a small amount of new data to realise significant insights.
Unfortunately, people often underestimate the value of information and misunderstand risk. As Product Owners we are often afraid to test our assumptions. We routinely pile on additional risk without a second thought.
Risk management is the bread and butter of the finance and insurance industries. Isn't it time we evolved?
In this fast paced and practical session we will explore answers to the following questions:
- What is risk and how do we quantify and manage it?
- How do we assess the value of information?
- How can experimentation reduce risk and where does it fit in the product development cycle?
- What makes a good experiment?
- How to run experiments in a cost effective manner?
- What are good metrics?
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
Nowadays having a proper security configuration is a huge challenge, especially looking at the global hacks and personal data leak incidents that happened in IT a while back. Oracle EBS is not perfect and has lots of vulnerabilities covered by Oracle almost every quarter. A very small percent of Apps DBAs know all the features and options available, and usually, do not go over firewall/reverse proxy layer.
This presentation is going to cover an overview and recommendations of options and security features that are available and can be used out-of-the-box, and some of the non-trivial configurations that can help to keep your Oracle EBS system protected, per our experience.
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
Michael Wardrop, Netflix
Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads.
As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.
"Backoff" Malware: How to Know If You're InfectedTripwire
The US-CERT organization recently updated its Alert TA14-212A, which warns that Point-of-Sale (POS) memory-scraping malware has been found in 3 separate forensic investigations. The Secret Service estimates over 1000+ businesses of all types that accept credit card transactions may be affected. Most may not know it yet.
Join us to learn key “Indicators of Compromise” (IOCs) for Backoff, and what you can do about it.
In this PowerPoint, learn how a security policy can be your first line of defense. Servers running AIX and other operating systems are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DoS attacks to malware, attackers have a variety of strategies at their disposal. Having a security policy in place makes it easier to ensure you have appropriate controls in place to protect mission-critical data.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
z/OS Authorized Code Scanner (zACS) is a tool that provides the ability to test PCs and SVCs and client’s authorized code to provide diagnostic information for subsequent investigation as needed.
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
University of Kent 2013 - CO899 System security
Presentation of the article:
Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
2. Introduction
We all have a few questions about
Windows NT security:
• Is it really secure
• Should we be deploying Internet
connected Windows NT systems
• What are the current vulnerabilities in NT
3. Summary of Course
• Security vulnerabilities in the NT
architecture and implementation
• Methods for addressing the existing
and future security vulnerabilities
• Techniques and tools for assessing
security posture
4. Who is in Attendance?
• Security Auditors?
• System Administrators?
• Developers?
• Others?
5. Agenda
• Some specifics of the NT security
architecture
• Failings from a security perspective
• Securing your NT systems
• Assessing your security practices
7. Console Logon Process
• Interact with the GINA to give credentials
• GINA is the extensible part of WinLogon
• WinLogon talks to Authentication
Packages through LSA (Local Security
Authority) using LogonUser()
• Current Authentication Package is
MSV1_0 (NT LM Security Provider)
• Authentication Package returns security
token if credentials are correct
8. Network Logon Process
• Make connection to Server Service (SMB)
• Server Service generates a MSV1_0
compatible challenge and sends it to the
client (in a SMB_COM_NEGPROT
message)
• Client responds by encrypting the
challenge, using the password as the
encryption key, and sending it back to the
server
9. Network Logon Process Cont.
• Server Service passes the client’s
response and the original challenge to
MSV1_0 by calling
LsaCallAuthenticationPackage() with the
message type MsV1_0Lm20Logon
• The LsaCallAuthenticationPackage()
returns a security token to the Server
service if everything is successful
10. Object Access
• Each object has a DACL (Discretionary
Access Control List)
• Each Process has a security token (from
logon process) attached which contains
the identity and privileges of the user
context it is executing under
• When a process attempts to access an
object, the Security Reference Monitor in
the kernel checks to see if the identity or
privileges in the token match an ACL entry
11. Impersonation
• Process obtains a security token for the
user to be impersonated through the
LogonUser() function or a direct call to a
authentication package with
LsaCallAuthenticationPackage()
• The process can use this token to
temporarily change the user context of a
thread to execute as the user
(impersonate)
13. Exploits
• Anonymous connections
• Network Authentication attacks
• Buffer overflows in privileged services
• Trojan horses and other file permission
abuses
• Privilege escalation through architectural
deficiencies
14. Anonymous Connections
• Created by using null credentials - net use
targetIPC$ ““ /user:””
• Prior to SP3 could remotely access the
Registry on workstations and some
servers
• Can enumerate users, groups, and get
SIDs
• Possibly other unknown ramifications
15. Network Authentication Attacks
• Man in the middle attack on authentication
sequence to gain remote access as
arbitrary user (fixed in SP3 if message
signing is used)
• Password hash grabbing attacks using a
known challenge (not fixed in SP3) or
brute-force
• Protocol downgrade attacks to obtain
plaintext password (fixed in SP3 by
default)
16. Buffer Overflows
• They can happen in NT
• WebSite 1.0 had a couple nifty CGI
programs that could be overflowed
• The egg (shell code) has been written and
published, so the hard work has been
done.
• Services running as SYSTEM or
Administrator are the primary targets
17. Trojan Horses and File
Permissions
• Targets: files (.exe, .dll, .reg) that will get
executed by a privileged user -
Administrator or System
• Extensible portions of the security system
are key easy targets - Notification
Packages, Password Filters, and GINAs all
run under the System context
• FPNWCLNT.DLL is a great example:
default Registry entry, but the DLL does
not exist on NT 4.0 Workstations.
18. File Permissions Cont.
• Group Everyone has write permission to
%SystemRoot%system32 by default, so
therefore any local user can add a
notification package Trojan called
FPNWCLNT.DLL that will get called in the
System context.
• Group Everyone has FULL CONTROL of
%SystemRoot% by default, so even files
like poledit.exe and explorer.exe which are
(RX) can be changed by anyone.
19. Privilege Escalation
• On July 4, GetAdmin was released on
Usenet.
• GetAdmin gains privilege to attach to
another process (SeDebugPrivilege)
through a broken kernel API and then
creates a thread in the Winlogon process
that executes code in GASYS.DLL which
adds an arbitrary user to the
Administrator’s group. Very naughty ;)
21. Reduce Services
• Only services that are needed should be
running - everything else should be
disabled.
• NT needs the following services to be
started to function correctly: EventLog,
Plug and Play, and Remote Procedure Call
Service (TCP port 135 will be listening).
• Experiment - start with the above services
and only add as needed.
22. File Permissions
• Don’t give the Everyone group FULL
CONTROL of anything
• Check “Guidelines for securing Windows
NT-based networks and systems” on
www.microsoft.com
• %SystemRoot% and %SystemRoot
%system32 can be (RX) for non admin
users
• Removal of execute permission on all
executables not needed is a good thing
23. Registry Permissions
• Make sure
HKLMSYSTEMCurrentControlSetControl
SecurePipesServersWinreg exists and
only Administrators have permission to it
• Again, check “Guidelines for securing
Windows NT-based networks and
systems” on www.microsoft.com
• Use David LeBlanc’s suggestions in the
NT Security FAQ
24. General
• Use a password filter to enforce strong
passwords (PASSFILT.DLL from SP2 or
write your own)
• Use passprop.exe from the Resource Kit
to enable account lockout on
Administrator
• Disable Network Logons for administrator
equivalent accounts
• Turn on auditing for security events
25. Specific Fixes for Exploits
• Install SP3 and set the RestrictAnonymous
registry value
• Change the DACL of NTOSKRNL.EXE to
System and Administrator FULL
CONTROL and Everyone EXECUTE (temp
hack to fix GetAdmin - not long term)
• Remove FPNWCLNT from
HKLMSYSTEMCurrentControlSetControl
Lsa”Notification Packages”
• Use message signing NT to NT
26. More Fixes
• Use the TCP/IP Advanced Security
options to block all TCP and UDP
ports not being used - specifically
TCP 135 if not using remote RPC
• Disable the WINS TCP/IP binding
under the protocol tab and the
Server service if the machine is a
single purpose server - WWW, FTP
28. Tools
• Your security policy
• ISS 4.31 for NT
• Ballista
• Kane Security Analyst
• NAT without #define SCANNER (see
*hobbit’s presentation)
• A good TCP and UDP port scanner
• The Resource Kit(s)
• Homebrew (C, TCL, Perl, etc.)
30. Port Scanning
• Do a full TCP and UDP port scan
• Take note of all listening ports and
reference them against what you
would expect for the services the
machine is suppose to be running
• Common listening ports are TCP 135,
137, 138, 139, and several ephemeral
ports and UDP 135,137,138, and 139
31. Service Checks
• Tools like ISS, Ballista, and NAT are very
helpful
• Remember port 139 is used by many
services: file sharing and services using
RPC over named pipes
• Check for all known bugs
• Look for unknown or excessive services
• See what information can be obtained
through SNMP, netstat, RPC end-point
mapper, and remote Registry access
32. File Permission Checks
• Print out list of all users and groups
• Use a tool like DumpAcl or Cacls to print
out a list of all file and directory
permissions
• Use your security policy as the basis for
ACL checks
• Look for situation like directories with
FULL CONTROL granted to a group that
should not have access to some files
within the directory
33. Registry Permission Checks
• Use Regedt32 or DumpAcl to list ACLs for
HKEY_LOCAL_MACHINE and
HKEY_CLASSES_ROOT
• Again, use your security policy as a basis
for your checks
• Look for situations where users can read
or write sensitive keys and values
• The SNMP community name and
AutoLogon password are viewable by
everyone by default
34. Known Vulnerability Checks
• Check for all know vulnerabilities
• Look for potentially exploitable conditions
like the ability to overwrite executables
and dynamic link libraries
• Check for Registry keys and values
writeable by non-administrators - there are
several places by default that everyone
can change which can lead to Trojan
horses (.reg associations)
35. Policy Enforcement
• Is auditing enabled?
• Are password length and lifetime
checks enabled?
• Do users belong to the correct
groups?
• Kane Security Analyst is a good tool
for this stuff
36. Summary
• We have covered the basics of how
NT security operates, what some
major problems are, strategies to
tighten up security, and some
methods for checking your risks
• Experiment with this knowledge -
use it as a starting point and take
tangents
37. Where to get more information
• http://www.microsoft.com/workshop/prog/
security/guidesecnt.htm
• http://www.ntsecurity.net
• mailing list at ntsecurity@iss.net
• mailing list at ntbugtraq@rc.on.ca
• mailing list at bugtraq@netspace.org
• dominique.brezinski@cybersafe.com