Dominique Karg - Advanced Attack Detection using OpenSource tools

•

3 j'aime•2,229 vues

Security B-Sides

Technologie Business

AdvancedAttackDetection TheOpenSource Way :-) Dominique KargAlienVault / OSSIMBSidesSF 2010

The Play (AAA) Selfreminder: don‘tforgettellingwhatthisis all going to beabout.

TrojanEmulation/Analisys AlienVRTjaime.blasco@alienvault.com

Host behavior/Anomalies Spade/Spada AlienVRTjaime.blasco@alienvault.com

Windows Policies Snare http://www.intersectalliance.org

Flows ... NFDump/NFSen Heavilymodifiedfor OSSIM

TrafficBehavior NTop http://www.ntop.org

Correlation OSSIM http://www.alienvault.com

Installation Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

System informationgathering Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

CredentialStealing Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

Environmentdiscovery Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

Callinghome Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

Web pageinjection Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

NIDS Events (Unreliable, signaturebased, false positives)

Host Behavior/Anomalies (Misconfiguredservices cause those)

HIDS Events (False positives, lessdangerousstuff, signaturebased)

Windows Policies 592 – Processcreation 593 – Processdestruction 577 – Privsystemcalls (Noisy to filter out)

Flows (Malware mightcontactnon-RBNhosts)

Trafficbehavior (Hard to tune, tons of false positives)

Conclusion (Obtainingreliablesecuritythroughbruteforce)

Recommandé

Stealth post-exploitation with phpsploitNullbyte Security Conference

Getting_Started_With_DockerJason Greathouse

CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE

Adversary tactics config mgmt-&-logs-oh-myJesse Moore

CODE BLUE 2014 : BadXNU、イケてないリンゴ！ by ペドロ・ベラサ PEDRO VILAÇACODE BLUE

Hacker SpacePrathan Phongthiproek

Httpnando2207

Embedded government espionageMuts Byte

Recommandé

Stealth post-exploitation with phpsploitNullbyte Security Conference

Getting_Started_With_DockerJason Greathouse

CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE

Adversary tactics config mgmt-&-logs-oh-myJesse Moore

CODE BLUE 2014 : BadXNU、イケてないリンゴ！ by ペドロ・ベラサ PEDRO VILAÇACODE BLUE

Hacker SpacePrathan Phongthiproek

Httpnando2207

Embedded government espionageMuts Byte

Dissecting BetaBotsecurityxploded

Год в Github bugbounty, опыт участияdefcon_kz

Jailbreak desimlock i os 7 tutoriel frMateo Lopez

The A and the P of the Tpinkflawd

Introducing... Bananajour!Tim Lucas

IoT and IIOT at QuBit Prague 2018 Avast

EKFiddle: a framework to study Exploit KitsJerome Segura

如何利用 Docker 強化網站安全Tim Hsu

Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl

Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin

Zeus' Not Dead Yetpinkflawd

Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018Codemotion

The A and the P of the TCyphort

Intrusion TechniquesFestival Software Livre

Mmw anti sandbox_techniquesCyphort

Mmw anti sandboxtricksCyphort

MMW Anti-Sandbox TechniquesCyphort

Lukas Apa - Hacking Robots Before SkyNet NoNameCon

Web Application SecurityMarketingArrowECS_CZ

Cyber Security Coverage heat map Moti Sagey מוטי שגיא

The Good The Bad The VirtualClaudio Criscione

NYU Hacknight: iOS and OSX ABIMikhail Sosonkin

Contenu connexe

Tendances

Dissecting BetaBotsecurityxploded

Год в Github bugbounty, опыт участияdefcon_kz

Jailbreak desimlock i os 7 tutoriel frMateo Lopez

The A and the P of the Tpinkflawd

Introducing... Bananajour!Tim Lucas

IoT and IIOT at QuBit Prague 2018 Avast

EKFiddle: a framework to study Exploit KitsJerome Segura

如何利用 Docker 強化網站安全Tim Hsu

Tendances (8)

Dissecting BetaBot

Год в Github bugbounty, опыт участия

Jailbreak desimlock i os 7 tutoriel fr

The A and the P of the T

Introducing... Bananajour!

IoT and IIOT at QuBit Prague 2018

EKFiddle: a framework to study Exploit Kits

如何利用 Docker 強化網站安全

Similaire à Dominique Karg - Advanced Attack Detection using OpenSource tools

Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl

Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin

Zeus' Not Dead Yetpinkflawd

Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018Codemotion

The A and the P of the TCyphort

Intrusion TechniquesFestival Software Livre

Mmw anti sandbox_techniquesCyphort

Mmw anti sandboxtricksCyphort

MMW Anti-Sandbox TechniquesCyphort

Lukas Apa - Hacking Robots Before SkyNet NoNameCon

Web Application SecurityMarketingArrowECS_CZ

Cyber Security Coverage heat map Moti Sagey מוטי שגיא

The Good The Bad The VirtualClaudio Criscione

NYU Hacknight: iOS and OSX ABIMikhail Sosonkin

BSides Algiers - Nmap Scripting Engine - Hani BenhabilesShellmates

How to hide your browser 0-daysZoltan Balazs

DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh

Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang

Unmasking or De-Anonymizing YouE Hacking

Similaire à Dominique Karg - Advanced Attack Detection using OpenSource tools (20)

Simplest-Ownage-Human-Observed… - Routers

Filip palian mateuszkocielski. simplest ownage human observed… routers

Zeus' Not Dead Yet

Barbarians at the Gate(way) - Dave Lewis - Codemotion Amsterdam 2018

The A and the P of the T

Intrusion Techniques

Mmw anti sandbox_techniques

Mmw anti sandboxtricks

MMW Anti-Sandbox Techniques

Lukas Apa - Hacking Robots Before SkyNet

Web Application Security

Cyber Security Coverage heat map

The Good The Bad The Virtual

NYU Hacknight: iOS and OSX ABI

BSides Algiers - Nmap Scripting Engine - Hani Benhabiles

How to hide your browser 0-days

DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....

Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

Unmasking or De-Anonymizing You

Plus de Security B-Sides

Lord of the bing b-sides atlSecurity B-Sides

The road to hell v0.6Security B-Sides

2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides

Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides

Social Penetration - Mike Murray and Mike BaileySecurity B-Sides

How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides

Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides

Security? Who cares! - Brett HardinSecurity B-Sides

Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides

Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Security B-Sides

The Great Compliance Debate: No Child Left Behind or The Polio VaccineSecurity B-Sides

2009 Zacon Haroon MeerSecurity B-Sides

Enterprise Portals - Gateway to the GoldSecurity B-Sides

From fishing to phishing to ?Security B-Sides

Getting punched in the faceSecurity B-Sides

Make Tea Not WarSecurity B-Sides

OWASP ProxySecurity B-Sides

Smashing the stats for fun (and profit)Security B-Sides

ExploitationSecurity B-Sides

Layer 2 HackerySecurity B-Sides

Plus de Security B-Sides (20)

Lord of the bing b-sides atl

The road to hell v0.6

2010 07 BSidesLV Mobilizing The PCI Resistance 1c

Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...

Social Penetration - Mike Murray and Mike Bailey

How really to prepare for a credit card compromise (PCI) forensics investigat...

Risk Management - Time to blow it up and start over? - Alex Hutton

Security? Who cares! - Brett Hardin

Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...

Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...

The Great Compliance Debate: No Child Left Behind or The Polio Vaccine

2009 Zacon Haroon Meer

Enterprise Portals - Gateway to the Gold

From fishing to phishing to ?

Getting punched in the face

Make Tea Not War

OWASP Proxy

Smashing the stats for fun (and profit)

Exploitation

Layer 2 Hackery

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo

04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays

🐬 The future of MySQL is Postgres 🐘RTylerCroy

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j

HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics

Automating Google Workspace (GWS) & more with Apps Scriptwesley chun

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous

Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2

A Domino Admins Adventures (Engage 2024)Gabriella Davis

What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco

Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun

TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko

Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge

Partners Life - Insurer Innovation Award 2024The Digital Insurer

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

Dernier (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

🐬 The future of MySQL is Postgres 🐘

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

HTML Injection Attacks: Impact and Mitigation Strategies

Automating Google Workspace (GWS) & more with Apps Script

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Exploring the Future Potential of AI-Enabled Smartphone Processors

A Domino Admins Adventures (Engage 2024)

What Are The Drone Anti-jamming Systems Technology?

Powerful Google developer tools for immediate impact! (2023-24 C)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Handwritten Text Recognition for manuscripts and early printed texts

Driving Behavioral Change for Information Management through Data-Driven Gree...

Partners Life - Insurer Innovation Award 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Dominique Karg - Advanced Attack Detection using OpenSource tools

1. AdvancedAttackDetection TheOpenSource Way :-) Dominique KargAlienVault / OSSIMBSidesSF 2010

2. Whatthistalkisnotabout

3. The Play (AAA) Selfreminder: don‘tforgettellingwhatthisis all going to beabout.

4. Actors (Presentingtheplayers)

5. ZEUS Askyourlocalmalwareprovider.

6. TrojanEmulation/Analisys AlienVRTjaime.blasco@alienvault.com

7. NIDS http://www.snort.org

8. Host behavior/Anomalies Spade/Spada AlienVRTjaime.blasco@alienvault.com

9. HIDS Trend... http://www.ossec.net

10. Windows Policies Snare http://www.intersectalliance.org

11. Flows ... NFDump/NFSen Heavilymodifiedfor OSSIM

12. TrafficBehavior NTop http://www.ntop.org

13. Correlation OSSIM http://www.alienvault.com

14. Attack (Whattheuserdoes *not* see)

15. Installation Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

16. System informationgathering Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

17. CredentialStealing Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

18. Environmentdiscovery Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

19. Callinghome Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

20. Web pageinjection Descriptiondetailesbased on: http://www.noryak.net/papers/zeus.pdf

21. Analysis (Whathappensbehindthescenes)

22. NIDS Events (Unreliable, signaturebased, false positives)

23. Host Behavior/Anomalies (Misconfiguredservices cause those)

24. HIDS Events (False positives, lessdangerousstuff, signaturebased)

25. Windows Policies 592 – Processcreation 593 – Processdestruction 577 – Privsystemcalls (Noisy to filter out)

26. Flows (Malware mightcontactnon-RBNhosts)

27. Trafficbehavior (Hard to tune, tons of false positives)

28. Correlation (The Key to success)

29. Conclusion (Obtainingreliablesecuritythroughbruteforce)

30. No single Pointof Failure

31. Easilyaddnewcomponents

32. Free! Cheap!

33.

34. Trythis out

35. Improveit

36. Share it

37.