How to catch your “hacker” or makeshift security
•1 like•1,003 views
Report
Share
Download to read offline
More Related Content
More from Sergey Soldatov
More from Sergey Soldatov(18)
Recently uploaded
Recently uploaded(20)
How to catch your “hacker” or makeshift security
- 1. HOW TO CATCH YOUR “HACKER” OR MAKESHIFT SECURITY Sergey Soldatov Igor Gots
- 2. AGENDA • Water • Fishing • Fishbite • Hookset ZERONIGHTS 2012 GOTS/SOLDATOV 2
- 3. AGENDA • Water • Fishing • Fishbite • Hookset ZERONIGHTS 2012 GOTS/SOLDATOV 3
- 6. INFOSECURITY DEPT. HAS TO • Write corporate regulations • Make assessments (compliance &/| pentest) • Monitor logs! ZERONIGHTS 2012 GOTS/SOLDATOV 6
- 7. INFOSECURITY DEPT. HAS TO • Write corporate regulations • Make assessments (compliance &/| pentest) • Monitor logs! ZERONIGHTS 2012 GOTS/SOLDATOV 7
- 8. ATTACK STAGES • Information gathering • Passive learning • Active learning • Obtaining access • Maintaining access • Erasing evidence ZERONIGHTS 2012 GOTS/SOLDATOV 8
- 9. FISHING • Firewall/UTM/… :-) • IDS/IPS • Commercial • Opensource/free • Log analysis • Commercial • Opensource/free ZERONIGHTS 2012 GOTS/SOLDATOV 9
- 10. WHAT’S HAPPENING WHEN ONE’S BREAKING • Use or modification of privileged accounts • Configuration modification • Unusual activity • New services or applications ZERONIGHTS 2012 GOTS/SOLDATOV 10
- 11. TOOL DEPLOYMENT ZERONIGHTS 2012 GOTS/SOLDATOV 11
- 12. RECOMMENDED LIST OF EVENTS • Pros: • Microsoft recommends • Cons: • Huge amount of data • Fun: ZERONIGHTS 2012 GOTS/SOLDATOV 12
- 13. RECOMMENDED LIST OF EVENTS • Pros: • Microsoft recommends • Cons: • Huge amount of data • Fun: ZERONIGHTS 2012 GOTS/SOLDATOV 13
- 14. “IMPROVEMENTS” FOR MICROSOFT GUIDE • Admin logon from unusual place • Pros: • Admin logon at unusual time • More AI • From one IP by different accounts • Cons: • Lock >1 accounts from one IP • Need time • Password/Hash dump • Run system commands … ZERONIGHTS 2012 GOTS/SOLDATOV 14
- 15. UNIVERSAL METHODS • Pros: • Start a service (windows) • Much more AI • Events (almost) never • Cons: seen before • 100% we’ve forgotten smth. ZERONIGHTS 2012 GOTS/SOLDATOV 15
- 16. CONDITIONS • Tested tools: • OS default configuration • fgdump • Up2date AV is up • pwdump and running • pwdumpx • OS (almost) up2date • metasploit • wce • mimikatz ZERONIGHTS 2012 GOTS/SOLDATOV 16
- 17. NEVER SEEN BEFORE EVENTS • Approaches • Timeout for statistic collection (up to 24 hours) • Complex filtering (by criteria) • Risks • Server restart in case of intrusion • Intrusion during statistic gathering • Complex configuration • Details of event happening ZERONIGHTS 2012 GOTS/SOLDATOV 17
- 18. NEVER SEEN BEFORE EVENTS (RULE FOR SEC.PL) ZERONIGHTS 2012 GOTS/SOLDATOV 18
- 19. FGDUMP (REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 19
- 20. PWDUMP6 (REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 20
- 21. PWDUMPX (REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 21
- 22. METASPLOIT ZERONIGHTS 2012 GOTS/SOLDATOV 22
- 23. WCE (LOCAL) ZERONIGHTS 2012 GOTS/SOLDATOV 23
- 28. MIMIKATZ (LOCAL) … and NO LOGS! ZERONIGHTS 2012 GOTS/SOLDATOV 28
- 29. MIMIKATZ (LOCAL) … and NO LOGS! ZERONIGHTS 2012 GOTS/SOLDATOV 29
- 30. MIMIKATZ (LOCAL) … and NO LOGS! ZERONIGHTS 2012 GOTS/SOLDATOV 30
- 31. MIMIKATZ (LOCAL) … and NO LOGS! ZERONIGHTS 2012 GOTS/SOLDATOV 31
- 32. MIMIKATZ (LOCAL) … and NO LOGS! ZERONIGHTS 2012 GOTS/SOLDATOV 32
- 34. HOPE, READY TO ANSWER YOUR QUESTIONS…. Thanks for Your attention! Igor Gots Sergey Soldatov reply-to-all.blogspot.com ZERONIGHTS 2012 GOTS/SOLDATOV 34