![Page 1: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/1.jpg)
Sergey Soldatov
Igor Gots
HOW TO CATCH YOUR “HACKER”
OR
MAKESHIFT SECURITY
![Page 2: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/2.jpg)
AGENDA
• Water
• Fishing
• Fishbite
• Hookset
ZERONIGHTS 2012 GOTS/SOLDATOV 2
![Page 3: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/3.jpg)
AGENDA
• Water
• Fishing
• Fishbite
• Hookset
ZERONIGHTS 2012 GOTS/SOLDATOV 3
![Page 4: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/4.jpg)
W?
ZERONIGHTS 2012 GOTS/SOLDATOV 4
![Page 5: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/5.jpg)
W?
ZERONIGHTS 2012 GOTS/SOLDATOV 5
![Page 6: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/6.jpg)
INFOSECURITY DEPT. HAS TO
• Write corporate regulations
• Make assessments (compliance &/| pentest)
• Monitor logs!
ZERONIGHTS 2012 GOTS/SOLDATOV 6
![Page 7: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/7.jpg)
INFOSECURITY DEPT. HAS TO
• Write corporate regulations
• Make assessments (compliance &/| pentest)
• Monitor logs!
ZERONIGHTS 2012 GOTS/SOLDATOV 7
![Page 8: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/8.jpg)
ATTACK STAGES
• Information gathering
• Passive learning
• Active learning
• Obtaining access
• Maintaining access
• Erasing evidence
ZERONIGHTS 2012 GOTS/SOLDATOV 8
![Page 9: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/9.jpg)
FISHING
• Firewall/UTM/… :-)
• IDS/IPS
• Commercial
• Opensource/free
• Log analysis
• Commercial
• Opensource/free
ZERONIGHTS 2012 GOTS/SOLDATOV 9
![Page 10: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/10.jpg)
WHAT’S HAPPENING WHEN ONE’S BREAKING
• Use or modification of privileged accounts
• Configuration modification
• Unusual activity
• New services or applications
ZERONIGHTS 2012 GOTS/SOLDATOV 10
![Page 11: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/11.jpg)
TOOL DEPLOYMENT
ZERONIGHTS 2012 GOTS/SOLDATOV 11
![Page 12: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/12.jpg)
RECOMMENDED LIST OF EVENTS
ZERONIGHTS 2012 GOTS/SOLDATOV 12
• Pros:
• Microsoft recommends
• Cons:
• Huge amount of data
• Fun:
![Page 13: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/13.jpg)
RECOMMENDED LIST OF EVENTS
ZERONIGHTS 2012 GOTS/SOLDATOV 13
• Pros:
• Microsoft recommends
• Cons:
• Huge amount of data
• Fun:
![Page 14: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/14.jpg)
“IMPROVEMENTS” FOR MICROSOFT GUIDE
• Admin logon from unusual place
• Admin logon at unusual time
• From one IP by different accounts
• Lock >1 accounts from one IP
• Password/Hash dump
• Run system commands
…
ZERONIGHTS 2012 GOTS/SOLDATOV 14
• Pros:
• More AI
• Cons:
• Need time
![Page 15: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/15.jpg)
UNIVERSAL METHODS
• Start a service
(windows)
• Events (almost) never
seen before
ZERONIGHTS 2012 GOTS/SOLDATOV 15
• Pros:
• Much more AI
• Cons:
• 100% we’ve
forgotten smth.
![Page 16: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/16.jpg)
CONDITIONS
• OS default
configuration
• Up2date AV is up
and running
• OS (almost) up2date
ZERONIGHTS 2012 GOTS/SOLDATOV 16
• Tested tools:
• fgdump
• pwdump
• pwdumpx
• metasploit
• wce
• mimikatz
![Page 17: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/17.jpg)
NEVER SEEN BEFORE EVENTS
• Approaches
• Timeout for statistic collection (up to 24 hours)
• Complex filtering (by criteria)
• Risks
• Server restart in case of intrusion
• Intrusion during statistic gathering
• Complex configuration
• Details of event happening
ZERONIGHTS 2012 GOTS/SOLDATOV 17
![Page 18: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/18.jpg)
NEVER SEEN BEFORE EVENTS (RULE FOR SEC.PL)
ZERONIGHTS 2012 GOTS/SOLDATOV 18
![Page 19: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/19.jpg)
ZERONIGHTS 2012 GOTS/SOLDATOV 19
FGDUMP (REMOTE)
![Page 20: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/20.jpg)
PWDUMP6 (REMOTE)
ZERONIGHTS 2012 GOTS/SOLDATOV 20
![Page 21: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/21.jpg)
PWDUMPX (REMOTE)
ZERONIGHTS 2012 GOTS/SOLDATOV 21
![Page 22: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/22.jpg)
METASPLOIT
ZERONIGHTS 2012 GOTS/SOLDATOV 22
![Page 23: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/23.jpg)
ZERONIGHTS 2012 GOTS/SOLDATOV 23
WCE (LOCAL)
![Page 24: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/24.jpg)
BUT
ZERONIGHTS 2012 GOTS/SOLDATOV 24
![Page 25: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/25.jpg)
BUT
ZERONIGHTS 2012 GOTS/SOLDATOV 25
![Page 26: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/26.jpg)
BUT
ZERONIGHTS 2012 GOTS/SOLDATOV 26
![Page 27: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/27.jpg)
BUT
ZERONIGHTS 2012 GOTS/SOLDATOV 27
![Page 28: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/28.jpg)
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 28
… and NO LOGS!
![Page 29: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/29.jpg)
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 29
… and NO LOGS!
![Page 30: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/30.jpg)
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 30
… and NO LOGS!
![Page 31: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/31.jpg)
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 31
… and NO LOGS!
![Page 32: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/32.jpg)
MIMIKATZ (LOCAL)
ZERONIGHTS 2012 GOTS/SOLDATOV 32
… and NO LOGS!
![Page 33: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/33.jpg)
DETECTION
ZERONIGHTS 2012 GOTS/SOLDATOV 33
![Page 34: How to catch your “hacker” or makeshift security](https://reader036.vdocuments.net/reader036/viewer/2022062303/55657797d8b42a7b518b5376/html5/thumbnails/34.jpg)
HOPE, READY TO ANSWER YOUR QUESTIONS….
Thanks for Your attention!
Igor Gots
Sergey Soldatov
reply-to-all.blogspot.com
ZERONIGHTS 2012 GOTS/SOLDATOV 34