OM
Uploaded byOddvar Moe
PPTX, PDF684 views

NIC 2017 - Attack and detection in Windows Environments

This document discusses attack and detection methods in Windows environments. It begins with an introduction of the presenter and their background. It then covers common attack vectors like phishing emails, exploiting NTLM hashes from pictures, and using compromised OWA accounts. The document discusses tools for open source intelligence gathering and demonstrates attacks. It provides recommendations for prevention through hardening configurations and enabling protections. Finally, it discusses tools and techniques for detection like Windows Defender ATP, logging, and hunting for threats. The overall message is to assume breach, implement defenses, enable detection, and regularly test security.

Embed presentation

Downloaded 17 times
Attack & Detection in Windows Environments
WHOAMI /ALL • Chief Technical Architect – Microsoft Security • Most Valuable Professional • Microsoft Certified Trainer • Giac Certified Penetration Tester • Microsoft infrastructure and security expert (security researcher) • 15 years+ with Microsoft technology • http://oddvar.moe • I like memes and gifs @oddvarmoe
My favorite Hollywood hack scene
My goal with this session • Give examples on real world attacks • Show my favorite external attacks • NTLM hash • Phishing mail • OWA rules • Show Internal reconnaissance • Counter measures and detection methods • Think Assume Breach! @oddvarmoe
Who is attacking? • 2 types of attackers @oddvarmoe VISIBLE ATTACKERS INVISIBLE ATTACKERS
Attack methodology • Open Source Intelligence • Homepage – metadata • Social medias • Password dumps • Google dorks • Shodan @oddvarmoe • Social engineering and Spear Phishing • Drive By Attacks • Brute force / Wordlist • Exploiting External servers • Alternate attack paths • 3.party
Attackers goal • Steal Intellectual property • Abuse infrastructure • Strategic goal • Disclose • Great example: Phineas Fisher -Hacking team - 2015 • http://pastebin.com/0SNSvyjJ • https://www.youtube.com/watch?v=BpyCl1Qm6Xs @oddvarmoe
Attack kill chain • Average 140 days
Open source intelligence Disclaimer: Accounts used in the following slides are just examples. Its illegal to use this information to logon. @oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe
@oddvarmoe http://haveibeenpwned.com
Other open source intelligence resources SHODAN.IO
Other open source intelligence resources DNSDUMPSTER.COM @oddvarmoe
Other open source intelligence resources Google and pastebin • "site:pastebin.com | site:paste2.org | site:paste.bradleygill.com | site:pastie.org | site:dpaste.com | site:paste.pocoo.org | site:pastie.textmate.org | site:slexy.org" intext:domainame.com @oddvarmoe
Other open source intelligence resources SCRAPING HOMEPAGE - FOCA @oddvarmoe
Attack demos • Gain access: • NTLM hash from picture • Sending attachments • Using OWA • Escalate privileges: • Scan for local admin rights on other machines • Place LNK on share • Look through shares • Persistence @oddvarmoe
Red Team Tool – Powershell Empire • Shoutout to • Will Schroeder - @harmj0y • Justin Warner - @sixdub • Matt Nelson - @enigma0x3 • www.powershellempire.com @oddvarmoe
DEMO – Gaining Access @oddvarmoe
Preventing these attacks • OWA – use MFA • Attachments on mail • Enable extra protection in GPO • https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office- 2016-can-block-macros-and-help-prevent-infection/ • AppLocker/Device Guard • Lock down shares • Local admin • Client to client communication • Make internet great again and block 445 • Net cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net- 1e8dcb5b • Test your security – You test your backup don’t you? @oddvarmoe
Detecting the attacks • Windows Defender ATP • Windows Advanced Threat Analytics • User Behavior • Exchange Online ATP • Do a hunt • Cimsweep is nice: https://github.com/PowerShellMafia/CimSweep • Tripwire or Sysmon • More logging! https://adsecurity.org/?p=3377 • IDS / IPS • SIEM / OMS @oddvarmoe
DEMO – Detection @oddvarmoe
SUMMARY • Assume breach • Harden your stuff • Get detection going • Test your security • Educate end users • Do regular hunting @oddvarmoe
THANKS FOR YOUR TIME http://oddvar.moe
Don’t be like Trump Give me a green card when you exit

More Related Content

PPTX
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
PPTX
Bug bounty
byn|u - The Open Security Community
 
PDF
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
PPTX
Hacke windows med windows - avanserte angrep
byOddvar Moe
 
PPTX
Word press security
byJigar Pandya
 
PDF
Security awareness for information security team
byKirill Ermakov
 
PPTX
Why vulners? Short story about reinventing a wheel
byKirill Ermakov
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
byAnant Shrivastava
 
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
Bug bounty
byn|u - The Open Security Community
 
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
Hacke windows med windows - avanserte angrep
byOddvar Moe
 
Word press security
byJigar Pandya
 
Security awareness for information security team
byKirill Ermakov
 
Why vulners? Short story about reinventing a wheel
byKirill Ermakov
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
byAnant Shrivastava
 

What's hot

PDF
Attacking Drupal
byGreg Foss
 
PPTX
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
PDF
Hacking Web Apps by Brent White
byEC-Council
 
PDF
BugBounty Roadmap with Mohammed Adam
byMohammed Adam
 
PDF
MR201504 Web Defacing Attacks Targeting WordPress
byFFRI, Inc.
 
PPTX
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PPTX
"Introduction to Bug Hunting", Yasser Ali
byHackIT Ukraine
 
PDF
Vulners: Google for hackers
byKirill Ermakov
 
PDF
Is rust language really safe?
byNullbyte Security Conference
 
PPTX
Password Stealing & Enhancing User Authentication Using Opass Protocol
byPrasad Pawar
 
PDF
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
byChris Gates
 
PPTX
XSS (Cross Site Scripting)
byShubham Gupta
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
PDF
10 things I’ve learnt about web application security
byJames Crowley
 
PDF
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
byÖmer Çıtak
 
PPTX
Don't get stung - an introduction to the OWASP Top 10
byBarry Dorrans
 
PPTX
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
byMazin Ahmed
 
PDF
How To Build The Perfect Backtrack 4 Usb Drive
bykriggins
 
Attacking Drupal
byGreg Foss
 
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
Hacking Web Apps by Brent White
byEC-Council
 
BugBounty Roadmap with Mohammed Adam
byMohammed Adam
 
MR201504 Web Defacing Attacks Targeting WordPress
byFFRI, Inc.
 
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
"Introduction to Bug Hunting", Yasser Ali
byHackIT Ukraine
 
Vulners: Google for hackers
byKirill Ermakov
 
Is rust language really safe?
byNullbyte Security Conference
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
byPrasad Pawar
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
byChris Gates
 
XSS (Cross Site Scripting)
byShubham Gupta
 
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
10 things I’ve learnt about web application security
byJames Crowley
 
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
byÖmer Çıtak
 
Don't get stung - an introduction to the OWASP Top 10
byBarry Dorrans
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
byMazin Ahmed
 
How To Build The Perfect Backtrack 4 Usb Drive
bykriggins
 

Similar to NIC 2017 - Attack and detection in Windows Environments

PDF
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
byMichael Gough
 
PPTX
Advanced Persistent Threats (APTs) - Information Security Management
byMayur Nanotkar
 
PDF
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
byNCCOMMS
 
PPTX
Adversary tactics config mgmt-&-logs-oh-my
byJesse Moore
 
PDF
InnoTech 2017_Defend_Against_Ransomware 3.0
byMichael Gough
 
PDF
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
byGabriel Mathenge
 
PPTX
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
byjasonjfrank
 
PDF
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
byJerod Brennen
 
PPTX
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
byBeau Bullock
 
PDF
Finding attacks with these 6 events
byMichael Gough
 
PPTX
Offence oriented Defence
bySensePost
 
PPTX
Practical Defense
bySean Whalen
 
PPTX
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
byJohn Bambenek
 
PDF
Windows Incident Response is hard, but doesn't have to be
byMichael Gough
 
PDF
Defending against Ransomware and what you can do about it
byJoAnna Cheshire
 
PDF
Issa jason dablow
byISSA LA
 
PDF
Proper logging can catch breaches like retail PoS
byMichael Gough
 
PDF
Proper logging can catch breaches like retail PoS
byMichael Gough
 
PPTX
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
byCODE BLUE
 
PDF
FY19_RVAs_Mapped_to_the_MITRE_ATTCK_Framework_508.pdf
bysikandar girgoukar
 
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
byMichael Gough
 
Advanced Persistent Threats (APTs) - Information Security Management
byMayur Nanotkar
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
byNCCOMMS
 
Adversary tactics config mgmt-&-logs-oh-my
byJesse Moore
 
InnoTech 2017_Defend_Against_Ransomware 3.0
byMichael Gough
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
byGabriel Mathenge
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
byjasonjfrank
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
byJerod Brennen
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
byBeau Bullock
 
Finding attacks with these 6 events
byMichael Gough
 
Offence oriented Defence
bySensePost
 
Practical Defense
bySean Whalen
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
byJohn Bambenek
 
Windows Incident Response is hard, but doesn't have to be
byMichael Gough
 
Defending against Ransomware and what you can do about it
byJoAnna Cheshire
 
Issa jason dablow
byISSA LA
 
Proper logging can catch breaches like retail PoS
byMichael Gough
 
Proper logging can catch breaches like retail PoS
byMichael Gough
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
byCODE BLUE
 
FY19_RVAs_Mapped_to_the_MITRE_ATTCK_Framework_508.pdf
bysikandar girgoukar
 

More from Oddvar Moe

PPTX
Windows Client Privilege Escalation-Shared.pptx
byOddvar Moe
 
PPTX
Phishing past mail protection controls using azure information
byOddvar Moe
 
PPTX
Enkel og effektiv herding av windows
byOddvar Moe
 
PPTX
#Lolbins - Nothing to LOL about!
byOddvar Moe
 
PPTX
App-o-Lockalypse now!
byOddvar Moe
 
PPTX
Hva avanserte hackere gjør for å få tilgang - Publisert.pptx
byOddvar Moe
 
PPTX
Angrep og deteksjon user group 22.september
byOddvar Moe
 
PPTX
Windows binærfiler
byOddvar Moe
 
PPTX
Red teaming and war stories
byOddvar Moe
 
Windows Client Privilege Escalation-Shared.pptx
byOddvar Moe
 
Phishing past mail protection controls using azure information
byOddvar Moe
 
Enkel og effektiv herding av windows
byOddvar Moe
 
#Lolbins - Nothing to LOL about!
byOddvar Moe
 
App-o-Lockalypse now!
byOddvar Moe
 
Hva avanserte hackere gjør for å få tilgang - Publisert.pptx
byOddvar Moe
 
Angrep og deteksjon user group 22.september
byOddvar Moe
 
Windows binærfiler
byOddvar Moe
 
Red teaming and war stories
byOddvar Moe
 

Recently uploaded

PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PDF
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 

NIC 2017 - Attack and detection in Windows Environments

  • 2.
    Attack & Detectionin Windows Environments
  • 3.
    WHOAMI /ALL • ChiefTechnical Architect – Microsoft Security • Most Valuable Professional • Microsoft Certified Trainer • Giac Certified Penetration Tester • Microsoft infrastructure and security expert (security researcher) • 15 years+ with Microsoft technology • http://oddvar.moe • I like memes and gifs @oddvarmoe
  • 4.
  • 5.
    My goal withthis session • Give examples on real world attacks • Show my favorite external attacks • NTLM hash • Phishing mail • OWA rules • Show Internal reconnaissance • Counter measures and detection methods • Think Assume Breach! @oddvarmoe
  • 6.
    Who is attacking? •2 types of attackers @oddvarmoe VISIBLE ATTACKERS INVISIBLE ATTACKERS
  • 7.
    Attack methodology • OpenSource Intelligence • Homepage – metadata • Social medias • Password dumps • Google dorks • Shodan @oddvarmoe • Social engineering and Spear Phishing • Drive By Attacks • Brute force / Wordlist • Exploiting External servers • Alternate attack paths • 3.party
  • 8.
    Attackers goal • StealIntellectual property • Abuse infrastructure • Strategic goal • Disclose • Great example: Phineas Fisher -Hacking team - 2015 • http://pastebin.com/0SNSvyjJ • https://www.youtube.com/watch?v=BpyCl1Qm6Xs @oddvarmoe
  • 9.
    Attack kill chain •Average 140 days
  • 10.
    Open source intelligence Disclaimer:Accounts used in the following slides are just examples. Its illegal to use this information to logon. @oddvarmoe
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
    Other open sourceintelligence resources SHODAN.IO
  • 19.
    Other open sourceintelligence resources DNSDUMPSTER.COM @oddvarmoe
  • 20.
    Other open sourceintelligence resources Google and pastebin • "site:pastebin.com | site:paste2.org | site:paste.bradleygill.com | site:pastie.org | site:dpaste.com | site:paste.pocoo.org | site:pastie.textmate.org | site:slexy.org" intext:domainame.com @oddvarmoe
  • 21.
    Other open sourceintelligence resources SCRAPING HOMEPAGE - FOCA @oddvarmoe
  • 22.
    Attack demos • Gainaccess: • NTLM hash from picture • Sending attachments • Using OWA • Escalate privileges: • Scan for local admin rights on other machines • Place LNK on share • Look through shares • Persistence @oddvarmoe
  • 23.
    Red Team Tool– Powershell Empire • Shoutout to • Will Schroeder - @harmj0y • Justin Warner - @sixdub • Matt Nelson - @enigma0x3 • www.powershellempire.com @oddvarmoe
  • 24.
    DEMO – GainingAccess @oddvarmoe
  • 25.
    Preventing these attacks •OWA – use MFA • Attachments on mail • Enable extra protection in GPO • https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office- 2016-can-block-macros-and-help-prevent-infection/ • AppLocker/Device Guard • Lock down shares • Local admin • Client to client communication • Make internet great again and block 445 • Net cease https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net- 1e8dcb5b • Test your security – You test your backup don’t you? @oddvarmoe
  • 26.
    Detecting the attacks •Windows Defender ATP • Windows Advanced Threat Analytics • User Behavior • Exchange Online ATP • Do a hunt • Cimsweep is nice: https://github.com/PowerShellMafia/CimSweep • Tripwire or Sysmon • More logging! https://adsecurity.org/?p=3377 • IDS / IPS • SIEM / OMS @oddvarmoe
  • 27.
  • 28.
    SUMMARY • Assume breach •Harden your stuff • Get detection going • Test your security • Educate end users • Do regular hunting @oddvarmoe
  • 29.
  • 30.
    Don’t be like Trump Giveme a green card when you exit

Editor's Notes