Hacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List

Size: px

Start display at page:

Download "Hacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List"

Loraine May
7 years ago
Views:

Tester CQURE Offices: New York, Dubai, Warsaw MVP: Enterprise

1 Hacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List Paula Januszkiewicz CQURE: CEO, Penetration Tester CQURE Offices: New York, Dubai, Warsaw MVP: Enterprise Security, MCT #win10tour

3 Our tools: Tools Check out the following links: - Benjamin Delpy - Csaba Barta

4 Be familiar with the possibilities of the operating system From the user mode and kernel mode We are NOT talking about the forensics! just doing a little hacking + conclusions My goal: See one of the ways hacker can act

6 From the network perspective Public services, IP address range etc. Business model Branch connections Potential points of entry From the habits perspective Corporate policy Administrator s friends and hobby User s habits

7 Users Users rarely have software up to date Awareness issues... But for hacker it may be not enough Administrators Local account Password reuse for workstations Different password for workstations Domain account Domain user being local administrator Domain administrator

8 Scripts are Cool

9 Services DLLs Startup (Menu Start) Task Scheduler LSA Providers Run, Run Once GPO Notification Package Winlogon Image Hijacking Drivers Etc.

10 Stay Persistent

11 If you are not ready to attack: Stay stealth and do not change the system behavior Hide your traces Processes Files Infrastructure performance Network traffic Server / Client Platform Performance

12 Stay undetected

13 and find more victims Make recognition where you can get in (ADMIN$) Service Accounts Connection Strings / Application Pool LSA Secrets Inappropriate permissions

14 Victim Recon

15 PASS THE HASH ATTACKS Today s security challenge

16 TODAY S SECURITY CHALLENGE PASS THE HASH ATTACKS

.. Hash:E1977 Malware User Session User: Adm User: Sue Hash: E1977 Hash: C9DF User: Sue Hash:C9DF 1 3 4 1.

17 PASS THE HASH TECHNIQUE Fred s Laptop Sue s Laptop File Server Fred s User Session Sue s User Session User: Fred Password hash: A3D7 2 User: Sue Password hash: C9DF Malware Session User: Administrator Password hash: E1977 User: Adm... Hash:E1977 Malware User Session User: Adm User: Sue Hash: E1977 Hash: C9DF User: Sue Hash:C9DF FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE

18 VSM uses Hyper-V powered secure execution environment to protect derived credentials you can get things in but can t get things out P-T-H SOLUTION Decouples NTLM hash from logon secret PASS THE HASH ATTACKS Fully randomizes and manages full length NTLM hash to prevent brute force attack Derived credentials that VSM protected LSA Service gives to Windows are non-replayable

19 Virtualization VIRTUAL SECURE MODE (VSM) VSM isolates sensitive Windows processes in a hardware based Hyper-V container VSM runs the Windows Kernel and a series of Trustlets (Processes) within it VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D)

20 Local Security Auth Service Virtual TPM Hyper-Visor Code Integrity Virtual Secure Mode Apps Virtual Secure Mode (VSM) Windows

21 Windows 10: Local Account

22 Windows 10: Domain Account

25 and reboot the machine

26 VSM Enabled Windows 10: VSM Enabled

32 Create the remotely controlled network Automate next scans Create your own botnet What can be the hacker s goal in your infrastructure?

34 Stay Anonymous Know your victim Use the social skills Stay persistent Stay undetected Use victims to attack more targets

35 Learn how to detect malicious situations Know your system when it is safe you need a baseline If you detect a successful attack do not try to fight Report the issue Investigate and do an IT Audit Estimate the range of the attack Know how to recover your data, when necessary

Microsoft MVP (Enterprise / Azure Security 9 Years) Microsoft Certified Trainer (20 years) Founder: Cybercrime Security Forum!

Session Overview Andy Malone (Scotland, UK) Microsoft MVP (Enterprise / Azure Security 9 Years) Microsoft Certified Trainer (20 years) Founder: Cybercrime Security Forum! Worldwide Event Speaker Winner: