0
HOW TO CATCH YOUR “HACKER”            OR    MAKESHIFT SECURITY         Sergey Soldatov            Igor Gots
AGENDA• Water• Fishing• Fishbite• HooksetZERONIGHTS 2012 GOTS/SOLDATOV   2
W?ZERONIGHTS 2012 GOTS/SOLDATOV   3
W?ZERONIGHTS 2012 GOTS/SOLDATOV   4
INFOSECURITY DEPT. HAS TO• Write corporate regulations• Make assessments (compliance &/| pentest)• Monitor logs!ZERONIGHTS...
INFOSECURITY DEPT. HAS TO• Write corporate regulations• Make assessments (compliance &/| pentest)• Monitor logs!ZERONIGHTS...
ATTACK STAGES• Information gathering• Passive learning• Active learning• Obtaining access• Maintaining access• Erasing evi...
FISHING• Firewall/UTM/… :-)• IDS/IPS      • Commercial      • Opensource/free• Log analysis      • Commercial      • Opens...
WHAT’S HAPPENING WHEN ONE’S BREAKING• Use or modification of privileged accounts• Configuration modification• Unusual acti...
TOOL DEPLOYMENTZERONIGHTS 2012 GOTS/SOLDATOV   10
RECOMMENDED LIST OF EVENTS                                • Pros:                                  • Microsoft recommends ...
“IMPROVEMENTS” FOR MICROSOFT GUIDE• Admin logon from unusual place      • Pros:• Admin logon at unusual time           • M...
UNIVERSAL METHODS                                • Pros:      • Start a service        (windows)                 • Much mo...
CONDITIONS                                • Tested tools:      • OS default        configuration             • fgdump     ...
NEVER SEEN BEFORE EVENTS      • Approaches            • Timeout for statistic collection (up to 24 hours)            • Com...
NEVER SEEN BEFORE EVENTS(RULE FOR SEC.PL) ZERONIGHTS 2012 GOTS/SOLDATOV   16
FGDUMP(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV   17
PWDUMP6(REMOTE)  ZERONIGHTS 2012 GOTS/SOLDATOV   18
PWDUMPX(REMOTE)   ZERONIGHTS 2012 GOTS/SOLDATOV   19
METASPLOIT  ZERONIGHTS 2012 GOTS/SOLDATOV   20
WCE (LOCAL) ZERONIGHTS 2012 GOTS/SOLDATOV   21
BUTZERONIGHTS 2012 GOTS/SOLDATOV   22
MIMIKATZ (LOCAL)                                … and NO LOGS!ZERONIGHTS 2012 GOTS/SOLDATOV                    23
DETECTIONZERONIGHTS 2012 GOTS/SOLDATOV   24
HOPE, READY TO ANSWER YOUR QUESTIONS….        Thanks for Your attention!                                   Igor Gots      ...
Prochain SlideShare
Chargement dans... 5
×

Soldatov, gotz how to catch your “hacker” or makeshift security

647

Published on

0 commentaires
1 mention J'aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Total des vues
647
Sur Slideshare
0
À partir des ajouts
0
Nombre d'ajouts
0
Actions
Partages
0
Téléchargements
37
Commentaires
0
J'aime
1
Ajouts 0
No embeds

No notes for slide

Transcript of "Soldatov, gotz how to catch your “hacker” or makeshift security"

  1. 1. HOW TO CATCH YOUR “HACKER” OR MAKESHIFT SECURITY Sergey Soldatov Igor Gots
  2. 2. AGENDA• Water• Fishing• Fishbite• HooksetZERONIGHTS 2012 GOTS/SOLDATOV 2
  3. 3. W?ZERONIGHTS 2012 GOTS/SOLDATOV 3
  4. 4. W?ZERONIGHTS 2012 GOTS/SOLDATOV 4
  5. 5. INFOSECURITY DEPT. HAS TO• Write corporate regulations• Make assessments (compliance &/| pentest)• Monitor logs!ZERONIGHTS 2012 GOTS/SOLDATOV 5
  6. 6. INFOSECURITY DEPT. HAS TO• Write corporate regulations• Make assessments (compliance &/| pentest)• Monitor logs!ZERONIGHTS 2012 GOTS/SOLDATOV 6
  7. 7. ATTACK STAGES• Information gathering• Passive learning• Active learning• Obtaining access• Maintaining access• Erasing evidenceZERONIGHTS 2012 GOTS/SOLDATOV 7
  8. 8. FISHING• Firewall/UTM/… :-)• IDS/IPS • Commercial • Opensource/free• Log analysis • Commercial • Opensource/freeZERONIGHTS 2012 GOTS/SOLDATOV 8
  9. 9. WHAT’S HAPPENING WHEN ONE’S BREAKING• Use or modification of privileged accounts• Configuration modification• Unusual activity• New services or applicationsZERONIGHTS 2012 GOTS/SOLDATOV 9
  10. 10. TOOL DEPLOYMENTZERONIGHTS 2012 GOTS/SOLDATOV 10
  11. 11. RECOMMENDED LIST OF EVENTS • Pros: • Microsoft recommends • Cons: • Huge amount of data • Fun:ZERONIGHTS 2012 GOTS/SOLDATOV 11
  12. 12. “IMPROVEMENTS” FOR MICROSOFT GUIDE• Admin logon from unusual place • Pros:• Admin logon at unusual time • More AI• From one IP by different accounts • Cons:• Lock >1 accounts from one IP • Need time• Password/Hash dump• Run system commands… ZERONIGHTS 2012 GOTS/SOLDATOV 12
  13. 13. UNIVERSAL METHODS • Pros: • Start a service (windows) • Much more AI • Events (almost) never • Cons: seen before • 100% we’ve forgotten smth.ZERONIGHTS 2012 GOTS/SOLDATOV 13
  14. 14. CONDITIONS • Tested tools: • OS default configuration • fgdump • Up2date AV is up • pwdump and running • pwdumpx • OS (almost) up2date • metasploit • wce • mimikatzZERONIGHTS 2012 GOTS/SOLDATOV 14
  15. 15. NEVER SEEN BEFORE EVENTS • Approaches • Timeout for statistic collection (up to 24 hours) • Complex filtering (by criteria) • Risks • Server restart in case of intrusion • Intrusion during statistic gathering • Complex configuration • Details of event happeningZERONIGHTS 2012 GOTS/SOLDATOV 15
  16. 16. NEVER SEEN BEFORE EVENTS(RULE FOR SEC.PL) ZERONIGHTS 2012 GOTS/SOLDATOV 16
  17. 17. FGDUMP(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 17
  18. 18. PWDUMP6(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 18
  19. 19. PWDUMPX(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 19
  20. 20. METASPLOIT ZERONIGHTS 2012 GOTS/SOLDATOV 20
  21. 21. WCE (LOCAL) ZERONIGHTS 2012 GOTS/SOLDATOV 21
  22. 22. BUTZERONIGHTS 2012 GOTS/SOLDATOV 22
  23. 23. MIMIKATZ (LOCAL) … and NO LOGS!ZERONIGHTS 2012 GOTS/SOLDATOV 23
  24. 24. DETECTIONZERONIGHTS 2012 GOTS/SOLDATOV 24
  25. 25. HOPE, READY TO ANSWER YOUR QUESTIONS…. Thanks for Your attention! Igor Gots Sergey Soldatov reply-to-all.blogspot.comZERONIGHTS 2012 GOTS/SOLDATOV 25
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×