Hacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List Paula Januszkiewicz CQURE: CEO, Penetration Tester CQURE Offices: New York, Dubai, Warsaw MVP: Enterprise Security, MCT paula@cqure.us http://cqure.us @paulacqure @CQUREAcademy #win10tour
Our tools: http://cqure.pl Tools Check out the following links: http://www.gentilkiwi.com/ - Benjamin Delpy http://www.ntdsxtract.com/ - Csaba Barta
Be familiar with the possibilities of the operating system From the user mode and kernel mode We are NOT talking about the forensics! just doing a little hacking + conclusions My goal: See one of the ways hacker can act
From the network perspective Public services, IP address range etc. Business model Branch connections Potential points of entry From the habits perspective Corporate policy Administrator s friends and hobby User s habits
Users Users rarely have software up to date Awareness issues... But for hacker it may be not enough Administrators Local account Password reuse for workstations Different password for workstations Domain account Domain user being local administrator Domain administrator
Scripts are Cool
Services DLLs Startup (Menu Start) Task Scheduler LSA Providers Run, Run Once GPO Notification Package Winlogon Image Hijacking Drivers Etc.
Stay Persistent
If you are not ready to attack: Stay stealth and do not change the system behavior Hide your traces Processes Files Infrastructure performance Network traffic Server / Client Platform Performance
Stay undetected
and find more victims Make recognition where you can get in (ADMIN$) Service Accounts Connection Strings / Application Pool LSA Secrets Inappropriate permissions
Victim Recon
PASS THE HASH ATTACKS Today s security challenge
TODAY S SECURITY CHALLENGE PASS THE HASH ATTACKS
PASS THE HASH TECHNIQUE Fred s Laptop Sue s Laptop File Server Fred s User Session Sue s User Session User: Fred Password hash: A3D7 2 User: Sue Password hash: C9DF Malware Session User: Administrator Password hash: E1977 User: Adm... Hash:E1977 Malware User Session User: Adm User: Sue Hash: E1977 Hash: C9DF User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE
VSM uses Hyper-V powered secure execution environment to protect derived credentials you can get things in but can t get things out P-T-H SOLUTION Decouples NTLM hash from logon secret PASS THE HASH ATTACKS Fully randomizes and manages full length NTLM hash to prevent brute force attack Derived credentials that VSM protected LSA Service gives to Windows are non-replayable
Virtualization VIRTUAL SECURE MODE (VSM) VSM isolates sensitive Windows processes in a hardware based Hyper-V container VSM runs the Windows Kernel and a series of Trustlets (Processes) within it VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D)
Local Security Auth Service Virtual TPM Hyper-Visor Code Integrity Virtual Secure Mode Apps Virtual Secure Mode (VSM) Windows
Windows 10: Local Account
Windows 10: Domain Account
and reboot the machine
VSM Enabled Windows 10: VSM Enabled
Create the remotely controlled network Automate next scans Create your own botnet What can be the hacker s goal in your infrastructure?
Stay Anonymous Know your victim Use the social skills Stay persistent Stay undetected Use victims to attack more targets
Learn how to detect malicious situations Know your system when it is safe you need a baseline If you detect a successful attack do not try to fight Report the issue Investigate and do an IT Audit Estimate the range of the attack Know how to recover your data, when necessary