Sergey Soldatov

Igor Gots

HOW TO CATCH YOUR “HACKER”

OR

MAKESHIFT SECURITY

AGENDA

• Water

• Fishing

• Fishbite

• Hookset

ZERONIGHTS 2012 GOTS/SOLDATOV 2

W?

ZERONIGHTS 2012 GOTS/SOLDATOV 3

W?

ZERONIGHTS 2012 GOTS/SOLDATOV 4

INFOSECURITY DEPT. HAS TO

• Write corporate regulations

• Make assessments (compliance &/| pentest)

• Monitor logs!

ZERONIGHTS 2012 GOTS/SOLDATOV 5

INFOSECURITY DEPT. HAS TO

• Write corporate regulations

• Make assessments (compliance &/| pentest)

• Monitor logs!

ZERONIGHTS 2012 GOTS/SOLDATOV 6

ATTACK STAGES

• Information gathering

• Passive learning

• Active learning

• Obtaining access

• Maintaining access

• Erasing evidence

ZERONIGHTS 2012 GOTS/SOLDATOV 7

FISHING

• Firewall/UTM/… :-)

• IDS/IPS

• Commercial

• Opensource/free

• Log analysis

• Commercial

• Opensource/free

ZERONIGHTS 2012 GOTS/SOLDATOV 8

WHAT’S HAPPENING WHEN ONE’S BREAKING

• Use or modification of privileged accounts

• Configuration modification

• Unusual activity

• New services or applications

ZERONIGHTS 2012 GOTS/SOLDATOV 9

TOOL DEPLOYMENT

ZERONIGHTS 2012 GOTS/SOLDATOV 10

RECOMMENDED LIST OF EVENTS

ZERONIGHTS 2012 GOTS/SOLDATOV 11

• Pros:

• Microsoft recommends

• Cons:

• Huge amount of data

• Fun:

“IMPROVEMENTS” FOR MICROSOFT GUIDE

• Admin logon from unusual place

• Admin logon at unusual time

• From one IP by different accounts

• Lock >1 accounts from one IP

• Password/Hash dump

• Run system commands

…

ZERONIGHTS 2012 GOTS/SOLDATOV 12

• Pros:

• More AI

• Cons:

• Need time

UNIVERSAL METHODS

• Start a service

(windows)

• Events (almost) never

seen before

ZERONIGHTS 2012 GOTS/SOLDATOV 13

• Pros:

• Much more AI

• Cons:

• 100% we’ve

forgotten smth.

CONDITIONS

• OS default

configuration

• Up2date AV is up

and running

• OS (almost) up2date

ZERONIGHTS 2012 GOTS/SOLDATOV 14

• Tested tools:

• fgdump

• pwdump

• pwdumpx

• metasploit

• wce

• mimikatz

NEVER SEEN BEFORE EVENTS

• Approaches

• Timeout for statistic collection (up to 24 hours)

• Complex filtering (by criteria)

• Risks

• Server restart in case of intrusion

• Intrusion during statistic gathering

• Complex configuration

• Details of event happening

ZERONIGHTS 2012 GOTS/SOLDATOV 15

NEVER SEEN BEFORE EVENTS (RULE FOR SEC.PL)

ZERONIGHTS 2012 GOTS/SOLDATOV 16

ZERONIGHTS 2012 GOTS/SOLDATOV 17

FGDUMP (REMOTE)

PWDUMP6 (REMOTE)

ZERONIGHTS 2012 GOTS/SOLDATOV 18

PWDUMPX (REMOTE)

ZERONIGHTS 2012 GOTS/SOLDATOV 19

METASPLOIT

ZERONIGHTS 2012 GOTS/SOLDATOV 20

ZERONIGHTS 2012 GOTS/SOLDATOV 21

WCE (LOCAL)

BUT

ZERONIGHTS 2012 GOTS/SOLDATOV 22

MIMIKATZ (LOCAL)

ZERONIGHTS 2012 GOTS/SOLDATOV 23

… and NO LOGS!

DETECTION

ZERONIGHTS 2012 GOTS/SOLDATOV 24

HOPE, READY TO ANSWER YOUR QUESTIONS….

Thanks for Your attention!

Igor Gots

Sergey Soldatov

reply-to-all.blogspot.com

ZERONIGHTS 2012 GOTS/SOLDATOV 25