SlideShare a Scribd company logo
1 of 21
Download to read offline
Paula Januszkiewicz
CQURE: CEO, Penetration Tester / Security Expert
CQURE Academy: Trainer
MVP: Enterprise Security, MCT
Contact: paula@cqure.us | http://cqure.us
@paulacqure
@CQUREAcademy
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Disk
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Memory
Handles
Processes
Hidden Processes (ActiveProcessLinks)
Files that can be extracted
Threads
Modules
Registry
API Hooks
Services
UserAssist
Shellbags
ShimCache
Event Logs
Timeline
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Entry Information
Allows to build an attack timeline
Allows to define an entry point and anomalies
Collects and records system events to the Windows event log
It is free and easy to set up
Good practices
Filter out uninteresting events (image loads etc.)
Make sure event log is big enough
Centralize the events in a separate server
You can download Sysmon from Sysinternals.com
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Filtering Rules
Include thread injections into lsass:
<CreateRemoteThread onmatch="include">
<TargetImage condition="image">lsass.exe</TargetImage>
</CreateRemoteThread >
Exclude all Microsoft-signed image loads:
<ImageLoad onmatch="exclude">
<Signature condition="contains">Microsoft</Signature>
<Signature condition="contains">Windows</Signature>
</ImageLoad>
Recorded Events
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
 Make sure all tracing features
on the drive and in the system
are enabled: USN, Prefech etc.
 Image first then play
 Create Incident Response
Procedure (most of the
Customers we start the
adventure with do not have it…)
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook
http://myignite.microsoft.com
https://aka.ms/ignite.mobileapp

More Related Content

What's hot

12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsBeyondTrust
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro Paula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...BeyondTrust
 
Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedPaula Januszkiewicz
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating systemBhagyashree Barde
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Toshiharu Harada, Ph.D
 
Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]
Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]
Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]n|u - The Open Security Community
 
06 application security fundamentals - part 2 - security mechanisms - sessi...
06   application security fundamentals - part 2 - security mechanisms - sessi...06   application security fundamentals - part 2 - security mechanisms - sessi...
06 application security fundamentals - part 2 - security mechanisms - sessi...appsec
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 

What's hot (20)

12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
 
Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hacked
 
Windows Defense101
Windows Defense101Windows Defense101
Windows Defense101
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating system
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network Security
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
 
Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]
Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]
Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]
 
06 application security fundamentals - part 2 - security mechanisms - sessi...
06   application security fundamentals - part 2 - security mechanisms - sessi...06   application security fundamentals - part 2 - security mechanisms - sessi...
06 application security fundamentals - part 2 - security mechanisms - sessi...
 
Os security issues
Os security issuesOs security issues
Os security issues
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter Security
 

Similar to Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook

Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationMoses Schwartz
 
Techniques for Hiding and Detecting Traces aka. Crouching Admin, Hidden Hacker
Techniques for Hiding and Detecting Traces aka. Crouching Admin, Hidden HackerTechniques for Hiding and Detecting Traces aka. Crouching Admin, Hidden Hacker
Techniques for Hiding and Detecting Traces aka. Crouching Admin, Hidden HackerMicrosoft TechNet - Belgium and Luxembourg
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibilitymicham
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Moses Schwartz
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseAmazon Web Services
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application securityKonstantin Mirin
 
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...FilGov
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
iSecurity Visualizer Business Intelligence Demo
iSecurity Visualizer Business Intelligence DemoiSecurity Visualizer Business Intelligence Demo
iSecurity Visualizer Business Intelligence DemoRaz-Lee Security
 
AWS Security Essentials
AWS Security EssentialsAWS Security Essentials
AWS Security EssentialsAaron Bedra
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfChristopher Doman
 
The license associated with the Belarc Advisor product allows
 The license associated with the Belarc Advisor product allows The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allowsMikeEly930
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 

Similar to Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook (20)

Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automation
 
Techniques for Hiding and Detecting Traces aka. Crouching Admin, Hidden Hacker
Techniques for Hiding and Detecting Traces aka. Crouching Admin, Hidden HackerTechniques for Hiding and Detecting Traces aka. Crouching Admin, Hidden Hacker
Techniques for Hiding and Detecting Traces aka. Crouching Admin, Hidden Hacker
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
 
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
iSecurity Visualizer Business Intelligence Demo
iSecurity Visualizer Business Intelligence DemoiSecurity Visualizer Business Intelligence Demo
iSecurity Visualizer Business Intelligence Demo
 
AWS Security Essentials
AWS Security EssentialsAWS Security Essentials
AWS Security Essentials
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdf
 
The license associated with the Belarc Advisor product allows
 The license associated with the Belarc Advisor product allows The license associated with the Belarc Advisor product allows
The license associated with the Belarc Advisor product allows
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 

Recently uploaded

5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRATanmoy Mishra
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice documentXsasf Sfdfasd
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 

Recently uploaded (20)

5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice document
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 

Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook

  • 1. Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Contact: paula@cqure.us | http://cqure.us @paulacqure @CQUREAcademy
  • 8. Memory Handles Processes Hidden Processes (ActiveProcessLinks) Files that can be extracted Threads Modules Registry API Hooks Services UserAssist Shellbags ShimCache Event Logs Timeline
  • 12. Entry Information Allows to build an attack timeline Allows to define an entry point and anomalies Collects and records system events to the Windows event log It is free and easy to set up Good practices Filter out uninteresting events (image loads etc.) Make sure event log is big enough Centralize the events in a separate server You can download Sysmon from Sysinternals.com
  • 14. Filtering Rules Include thread injections into lsass: <CreateRemoteThread onmatch="include"> <TargetImage condition="image">lsass.exe</TargetImage> </CreateRemoteThread > Exclude all Microsoft-signed image loads: <ImageLoad onmatch="exclude"> <Signature condition="contains">Microsoft</Signature> <Signature condition="contains">Windows</Signature> </ImageLoad> Recorded Events Event ID 1: Process creation Event ID 2: A process changed a file creation time Event ID 3: Network connection Event ID 4: Sysmon service state changed Event ID 5: Process terminated Event ID 6: Driver loaded Event ID 7: Image loaded Event ID 8: CreateRemoteThread Event ID 9: RawAccessRead Event ID 10: ProcessAccess
  • 17.  Make sure all tracing features on the drive and in the system are enabled: USN, Prefech etc.  Image first then play  Create Incident Response Procedure (most of the Customers we start the adventure with do not have it…)

Editor's Notes

  1. [60] Normalnie takie rzczy sa po patchowaniu. Skrypt – informacja – RDP Operational Prefetch – mimikatz.
  2. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  3. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  4. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  5. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  6. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  7. [30]
  8. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  9. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  10. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  11. Licence: Common