Your SlideShare is downloading. ×
Soldatov, gotz   how to catch your “hacker” or makeshift security
Prochain SlideShare
Chargement dans... 5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Soldatov, gotz how to catch your “hacker” or makeshift security

612
views

Published on


0 commentaires
1 mention J'aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Total des vues
612
Sur Slideshare
0
À partir des ajouts
0
Nombre d'ajouts
0
Actions
Partages
0
Téléchargements
36
Commentaires
0
J'aime
1
Ajouts 0
No embeds

Signaler un contenu
Signalé comme inapproprié Signaler comme inapproprié
Signaler comme inapproprié

Indiquez la raison pour laquelle vous avez signalé cette présentation comme n'étant pas appropriée.

Annuler
No notes for slide

Transcript

  • 1. HOW TO CATCH YOUR “HACKER” OR MAKESHIFT SECURITY Sergey Soldatov Igor Gots
  • 2. AGENDA• Water• Fishing• Fishbite• HooksetZERONIGHTS 2012 GOTS/SOLDATOV 2
  • 3. W?ZERONIGHTS 2012 GOTS/SOLDATOV 3
  • 4. W?ZERONIGHTS 2012 GOTS/SOLDATOV 4
  • 5. INFOSECURITY DEPT. HAS TO• Write corporate regulations• Make assessments (compliance &/| pentest)• Monitor logs!ZERONIGHTS 2012 GOTS/SOLDATOV 5
  • 6. INFOSECURITY DEPT. HAS TO• Write corporate regulations• Make assessments (compliance &/| pentest)• Monitor logs!ZERONIGHTS 2012 GOTS/SOLDATOV 6
  • 7. ATTACK STAGES• Information gathering• Passive learning• Active learning• Obtaining access• Maintaining access• Erasing evidenceZERONIGHTS 2012 GOTS/SOLDATOV 7
  • 8. FISHING• Firewall/UTM/… :-)• IDS/IPS • Commercial • Opensource/free• Log analysis • Commercial • Opensource/freeZERONIGHTS 2012 GOTS/SOLDATOV 8
  • 9. WHAT’S HAPPENING WHEN ONE’S BREAKING• Use or modification of privileged accounts• Configuration modification• Unusual activity• New services or applicationsZERONIGHTS 2012 GOTS/SOLDATOV 9
  • 10. TOOL DEPLOYMENTZERONIGHTS 2012 GOTS/SOLDATOV 10
  • 11. RECOMMENDED LIST OF EVENTS • Pros: • Microsoft recommends • Cons: • Huge amount of data • Fun:ZERONIGHTS 2012 GOTS/SOLDATOV 11
  • 12. “IMPROVEMENTS” FOR MICROSOFT GUIDE• Admin logon from unusual place • Pros:• Admin logon at unusual time • More AI• From one IP by different accounts • Cons:• Lock >1 accounts from one IP • Need time• Password/Hash dump• Run system commands… ZERONIGHTS 2012 GOTS/SOLDATOV 12
  • 13. UNIVERSAL METHODS • Pros: • Start a service (windows) • Much more AI • Events (almost) never • Cons: seen before • 100% we’ve forgotten smth.ZERONIGHTS 2012 GOTS/SOLDATOV 13
  • 14. CONDITIONS • Tested tools: • OS default configuration • fgdump • Up2date AV is up • pwdump and running • pwdumpx • OS (almost) up2date • metasploit • wce • mimikatzZERONIGHTS 2012 GOTS/SOLDATOV 14
  • 15. NEVER SEEN BEFORE EVENTS • Approaches • Timeout for statistic collection (up to 24 hours) • Complex filtering (by criteria) • Risks • Server restart in case of intrusion • Intrusion during statistic gathering • Complex configuration • Details of event happeningZERONIGHTS 2012 GOTS/SOLDATOV 15
  • 16. NEVER SEEN BEFORE EVENTS(RULE FOR SEC.PL) ZERONIGHTS 2012 GOTS/SOLDATOV 16
  • 17. FGDUMP(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 17
  • 18. PWDUMP6(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 18
  • 19. PWDUMPX(REMOTE) ZERONIGHTS 2012 GOTS/SOLDATOV 19
  • 20. METASPLOIT ZERONIGHTS 2012 GOTS/SOLDATOV 20
  • 21. WCE (LOCAL) ZERONIGHTS 2012 GOTS/SOLDATOV 21
  • 22. BUTZERONIGHTS 2012 GOTS/SOLDATOV 22
  • 23. MIMIKATZ (LOCAL) … and NO LOGS!ZERONIGHTS 2012 GOTS/SOLDATOV 23
  • 24. DETECTIONZERONIGHTS 2012 GOTS/SOLDATOV 24
  • 25. HOPE, READY TO ANSWER YOUR QUESTIONS…. Thanks for Your attention! Igor Gots Sergey Soldatov reply-to-all.blogspot.comZERONIGHTS 2012 GOTS/SOLDATOV 25