9. WHAT’S HAPPENING WHEN ONE’S BREAKING
• Use or modification of privileged accounts
• Configuration modification
• Unusual activity
• New services or applications
ZERONIGHTS 2012 GOTS/SOLDATOV 9
11. RECOMMENDED LIST OF EVENTS
• Pros:
• Microsoft recommends
• Cons:
• Huge amount of data
• Fun:
ZERONIGHTS 2012 GOTS/SOLDATOV 11
12. “IMPROVEMENTS” FOR MICROSOFT GUIDE
• Admin logon from unusual place • Pros:
• Admin logon at unusual time • More AI
• From one IP by different accounts • Cons:
• Lock >1 accounts from one IP • Need time
• Password/Hash dump
• Run system commands
…
ZERONIGHTS 2012 GOTS/SOLDATOV 12
13. UNIVERSAL METHODS
• Pros:
• Start a service
(windows) • Much more AI
• Events (almost) never • Cons:
seen before • 100% we’ve
forgotten smth.
ZERONIGHTS 2012 GOTS/SOLDATOV 13
14. CONDITIONS
• Tested tools:
• OS default
configuration • fgdump
• Up2date AV is up • pwdump
and running • pwdumpx
• OS (almost) up2date • metasploit
• wce
• mimikatz
ZERONIGHTS 2012 GOTS/SOLDATOV 14
15. NEVER SEEN BEFORE EVENTS
• Approaches
• Timeout for statistic collection (up to 24 hours)
• Complex filtering (by criteria)
• Risks
• Server restart in case of intrusion
• Intrusion during statistic gathering
• Complex configuration
• Details of event happening
ZERONIGHTS 2012 GOTS/SOLDATOV 15
16. NEVER SEEN BEFORE EVENTS
(RULE FOR SEC.PL)
ZERONIGHTS 2012 GOTS/SOLDATOV 16
25. HOPE, READY TO ANSWER YOUR QUESTIONS….
Thanks for Your attention!
Igor Gots
Sergey Soldatov
reply-to-all.blogspot.com
ZERONIGHTS 2012 GOTS/SOLDATOV 25
