5. Based upon and continued work and research by Carlos Perez. All about a new vector / idea / problem that needs to reported to a client EARLY STAGES 15 minutes: Overview of what I want to find and some information about what I want to get out of it in the end About The Project
8. Every action you take will always leave a trace. Even when the action is to cover or delete the trace of another action. You will not only leave artefacts and traces on the target system but also on some of the devices you transit and communicate through. ?
9. Developers may create vulnerable code (always has and always will be a problem) Another problem however, that I don’t believe is looked at is: At what stage to SysAdmin’s know that their system is being attacked / is this early enough? Problem?
10.
11. Create part of a testing stage that the SysAdmin’s can join in with! A low to high noise area of testing. What does this mean? Idea?
12. Checklist or Testing Guide. Make sure that the SysAdmin is aware of what is going to happen and ask them to co-operate. Plan a low – medium – high framework that can used. See where the SysAdmin picks it up. Incorporate this into the report. Idea (2)?
13. It is all well and good know you have been attacked, but the fact you don’t know when is when you need to worry. What information has been compromised. Idea (3)?
14. Not all companies have IR Teams Low hanging fruit with be checked first: Processes, connections, EventLog and in some cases memory dumps Knowing your enemy
15. Process lists that are specifically checked: Time of Creation Parent PID Owner Command Line Knowing your enemy (2)
16. On connections things that stand out are obvious: Why is notepad connecting to the web? Why is Internet Explorer connecting to 1337 Once they believe there is a possible compromise they will create a timeline Knowing your enemy (3)
17. Hide your connections Connections from svchost.exe look normal is connecting to high ports IE, Firefox, Chrome, AV, Dropbox and other 443 and 80 Meterpreter offers and API to read and clear Event Logs What types of things can we do?
18. New methodology Should be testing the security of knowledge as well as the security of the app or the infrastructure Learn new ways to hide so that we can learn new ways to find! Summary