Soldatov, gotz   how to catch your “hacker” or makeshift security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Soldatov, gotz how to catch your “hacker” or makeshift security

le

  • 935 vues

 

Statistiques

Vues

Total des vues
935
Vues sur SlideShare
935
Vues externes
0

Actions

J'aime
1
Téléchargements
36
Commentaires
0

0 Ajouts 0

No embeds

Accessibilité

Catégories

Détails de l'import

Uploaded via as Adobe PDF

Droits d'utilisation

© Tous droits réservés

Report content

Signalé comme inapproprié Signaler comme inapproprié
Signaler comme inapproprié

Indiquez la raison pour laquelle vous avez signalé cette présentation comme n'étant pas appropriée.

Annuler
  • Full Name Full Name Comment goes here.
    Êtes-vous sûr de vouloir
    Votre message apparaîtra ici
    Processing...
Poster un commentaire
Modifier votre commentaire

Soldatov, gotz how to catch your “hacker” or makeshift security Presentation Transcript

  • 1. HOW TO CATCH YOUR “HACKER” OR MAKESHIFT SECURITY Sergey Soldatov Igor Gots
  • 2. AGENDA• Water• Fishing• Fishbite• HooksetZERONIGHTS 2012 GOTS/SOLDATOV 2
  • 3. W?ZERONIGHTS 2012 GOTS/SOLDATOV 3
  • 4. W?ZERONIGHTS 2012 GOTS/SOLDATOV 4
  • 5. INFOSECURITY DEPT. HAS TO• Write corporate regulations• Make assessments (compliance &/| pentest)• Monitor logs!ZERONIGHTS 2012 GOTS/SOLDATOV 5
  • 6. INFOSECURITY DEPT. HAS TO• Write corporate regulations• Make assessments (compliance &/| pentest)• Monitor logs!ZERONIGHTS 2012 GOTS/SOLDATOV 6
  • 7. ATTACK STAGES• Information gathering• Passive learning• Active learning• Obtaining access• Maintaining access• Erasing evidenceZERONIGHTS 2012 GOTS/SOLDATOV 7
  • 8. FISHING• Firewall/UTM/… :-)• IDS/IPS • Commercial • Opensource/free• Log analysis • Commercial • Opensource/freeZERONIGHTS 2012 GOTS/SOLDATOV 8
  • 9. WHAT’S HAPPENING WHEN ONE’S BREAKING• Use or modification of privileged accounts• Configuration modification• Unusual activity• New services or applicationsZERONIGHTS 2012 GOTS/SOLDATOV 9
  • 10. TOOL DEPLOYMENTZERONIGHTS 2012 GOTS/SOLDATOV 10
  • 11. RECOMMENDED LIST OF EVENTS • Pros: • Microsoft recommends • Cons: • Huge amount of data • Fun:ZERONIGHTS 2012 GOTS/SOLDATOV 11
  • 12. “IMPROVEMENTS” FOR MICROSOFT GUIDE• Admin logon from unusual place • Pros:• Admin logon at unusual time • More AI• From one IP by different accounts • Cons:• Lock >1 accounts from one IP • Need time• Password/Hash dump• Run system commands… ZERONIGHTS 2012 GOTS/SOLDATOV 12
  • 13. UNIVERSAL METHODS • Pros: • Start a service (windows) • Much more AI • Events (almost) never • Cons: seen before • 100% we’ve forgotten smth.ZERONIGHTS 2012 GOTS/SOLDATOV 13
  • 14. CONDITIONS • Tested tools: • OS default configuration • fgdump • Up2date AV is up • pwdump and running • pwdumpx • OS (almost) up2date • metasploit • wce • mimikatzZERONIGHTS 2012 GOTS/SOLDATOV 14
  • 15. NEVER SEEN BEFORE EVENTS • Approaches • Timeout for statistic collection (up to 24 hours) • Complex filtering (by criteria) • Risks • Server restart in case of intrusion • Intrusion during statistic gathering • Complex configuration • Details of event happeningZERONIGHTS 2012 GOTS/SOLDATOV 15
  • 16. NEVER SEEN BEFORE EVENTS(RULE FOR SEC.PL) ZERONIGHTS 2012 GOTS/SOLDATOV 16
  • 17. FGDUMP(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 17
  • 18. PWDUMP6(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 18
  • 19. PWDUMPX(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 19
  • 20. METASPLOIT ZERONIGHTS 2012 GOTS/SOLDATOV 20
  • 21. WCE (LOCAL) ZERONIGHTS 2012 GOTS/SOLDATOV 21
  • 22. BUTZERONIGHTS 2012 GOTS/SOLDATOV 22
  • 23. MIMIKATZ (LOCAL) … and NO LOGS!ZERONIGHTS 2012 GOTS/SOLDATOV 23
  • 24. DETECTIONZERONIGHTS 2012 GOTS/SOLDATOV 24
  • 25. HOPE, READY TO ANSWER YOUR QUESTIONS…. Thanks for Your attention! Igor Gots Sergey Soldatov reply-to-all.blogspot.comZERONIGHTS 2012 GOTS/SOLDATOV 25