SlideShare a Scribd company logo

RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the Hook

Paula Januszkiewicz
Paula Januszkiewicz

Cybercrime is a very lucrative business not just because of the potential financial return, but because it’s quite easy to get away with it. Sometimes hackers get caught, but most of the time they still run free. When it comes to operating systems and after-attack traces, it is not that bad as all traces are gathered in one place—your infrastructure. Even though hackers use techniques to remain on the loose, it is possible by using forensic techniques to gather evidence in order to demonstrate what actually happened. During this super intense session, Paula demonstrated techniques used by hackers to hide traces and forensic techniques that indicate how these activities were performed. Extremely technical session!

Technology
1 of 20
SESSION ID: #RSAC Paula Januszkiewicz ADVENTURES IN THE UNDERLAND: TECHNIQUES AGAINST HACKERS EVADING THE HOOK HTA-T08 CQURE: CEO, Cybersecurity Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Contact: paula@cqure.us | http://cqureacademy.com @paulacqure @CQUREAcademy
# R S A C
# R S A C
# R S A C Searching for a Trace: Disk Disk Profile, NTUSER Run dialog Most Recently Used (MRU), Management Console (MMC) Remote Desktop connections Prefetch files Recent documents Automatic Destinations (LNK) Security Log RDP Operational Log Application Logs Temporary Internet Files Deleted files – recoverable from the disk NTFS Structures Hiberfil.sys Memory dumps
#RSAC DEMO: DATA ON DISK ANALYSIS
# R S A C Techniques for Hiding vs. Recovering Data
#RSAC DEMO: DATA RECOVERY
# R S A C Searching for a Trace: Memory Memory Handles Processes Hidden Processes (ActiveProcessLinks) Files that can be extracted Threads Modules Registry API Hooks Services UserAssist Shellbags ShimCache Event Logs Timeline
#RSAC DEMO: EXTRACTING LOGS FROM MEMORY
#RSAC DEMO: DUMP ANALYSIS
# R S A C Agenda
# R S A C Sysmon Entry Information Allows to build an attack timeline Allows to define an entry point and anomalies Collects and records system events to the Windows event log It is free and easy to set up Good practices Filter out uninteresting events (image loads etc.) Make sure event log is big enough Centralize the events in a separate server You can download Sysmon from Sysinternals.com
#RSAC DEMO: SYSMON IN ACTION
# R S A C Sysmon: Events and Filtering Examples Filtering Rules Include thread injections into lsass: <CreateRemoteThread onmatch="include"> <TargetImage condition="image">lsass.exe</TargetImage> </CreateRemoteThread > Exclude all Microsoft-signed image loads: <ImageLoad onmatch="exclude"> <Signature condition="contains">Microsoft</Signature> <Signature condition="contains">Windows</Signature> </ImageLoad> Recorded Events Event ID 1: Process creation Event ID 2: A process changed a file creation time Event ID 3: Network connection Event ID 4: Sysmon service state changed Event ID 5: Process terminated Event ID 6: Driver loaded Event ID 7: Image loaded Event ID 8: CreateRemoteThread Event ID 9: RawAccessRead Event ID 10: ProcessAccess And more
#RSAC DEMO: SYSMON CUSTOMIZED
#RSAC DEMO: SYSMON AND NETWORK + getting info about the IP addresses
# R S A C Apply: Adventures Summary  Make sure all tracing features on the drive and in the system are enabled: USN, Prefech etc.  Image first then play  Create Incident Response Procedure (most of the Customers we start the adventure with do not have it…)
# R S A C
# R S A C
# R S A C

Recommended

Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingPaula Januszkiewicz
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczZuzannaKornecka
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz
 

Recommended

Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingPaula Januszkiewicz
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczZuzannaKornecka
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache serviceprajeeshprathap
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxwaizuq
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam
 

More Related Content

What's hot

Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache serviceprajeeshprathap
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 

What's hot (20)

Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache service
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 

Similar to RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the Hook

Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxwaizuq
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSAShannon Lietz
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalVinod Kumar
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
Automating Federal Aviation Administration’s (FAA) System Wide Information Ma...
Automating Federal Aviation Administration’s (FAA) System Wide Information Ma...Automating Federal Aviation Administration’s (FAA) System Wide Information Ma...
Automating Federal Aviation Administration’s (FAA) System Wide Information Ma...Databricks
 

Similar to RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the Hook (20)

Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptx
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Automating Federal Aviation Administration’s (FAA) System Wide Information Ma...
Automating Federal Aviation Administration’s (FAA) System Wide Information Ma...Automating Federal Aviation Administration’s (FAA) System Wide Information Ma...
Automating Federal Aviation Administration’s (FAA) System Wide Information Ma...
 

More from Paula Januszkiewicz

Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedPaula Januszkiewicz
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro Paula Januszkiewicz
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...Paula Januszkiewicz
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017Paula Januszkiewicz
 

More from Paula Januszkiewicz (9)

Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hacked
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the Hook

  • 1. SESSION ID: #RSAC Paula Januszkiewicz ADVENTURES IN THE UNDERLAND: TECHNIQUES AGAINST HACKERS EVADING THE HOOK HTA-T08 CQURE: CEO, Cybersecurity Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Contact: paula@cqure.us | http://cqureacademy.com @paulacqure @CQUREAcademy
  • 2. # R S A C
  • 3. # R S A C
  • 4. # R S A C Searching for a Trace: Disk Disk Profile, NTUSER Run dialog Most Recently Used (MRU), Management Console (MMC) Remote Desktop connections Prefetch files Recent documents Automatic Destinations (LNK) Security Log RDP Operational Log Application Logs Temporary Internet Files Deleted files – recoverable from the disk NTFS Structures Hiberfil.sys Memory dumps
  • 5. #RSAC DEMO: DATA ON DISK ANALYSIS
  • 6. # R S A C Techniques for Hiding vs. Recovering Data
  • 8. # R S A C Searching for a Trace: Memory Memory Handles Processes Hidden Processes (ActiveProcessLinks) Files that can be extracted Threads Modules Registry API Hooks Services UserAssist Shellbags ShimCache Event Logs Timeline
  • 11. # R S A C Agenda
  • 12. # R S A C Sysmon Entry Information Allows to build an attack timeline Allows to define an entry point and anomalies Collects and records system events to the Windows event log It is free and easy to set up Good practices Filter out uninteresting events (image loads etc.) Make sure event log is big enough Centralize the events in a separate server You can download Sysmon from Sysinternals.com
  • 14. # R S A C Sysmon: Events and Filtering Examples Filtering Rules Include thread injections into lsass: <CreateRemoteThread onmatch="include"> <TargetImage condition="image">lsass.exe</TargetImage> </CreateRemoteThread > Exclude all Microsoft-signed image loads: <ImageLoad onmatch="exclude"> <Signature condition="contains">Microsoft</Signature> <Signature condition="contains">Windows</Signature> </ImageLoad> Recorded Events Event ID 1: Process creation Event ID 2: A process changed a file creation time Event ID 3: Network connection Event ID 4: Sysmon service state changed Event ID 5: Process terminated Event ID 6: Driver loaded Event ID 7: Image loaded Event ID 8: CreateRemoteThread Event ID 9: RawAccessRead Event ID 10: ProcessAccess And more
  • 16. #RSAC DEMO: SYSMON AND NETWORK + getting info about the IP addresses
  • 17. # R S A C Apply: Adventures Summary  Make sure all tracing features on the drive and in the system are enabled: USN, Prefech etc.  Image first then play  Create Incident Response Procedure (most of the Customers we start the adventure with do not have it…)
  • 18. # R S A C
  • 19. # R S A C
  • 20. # R S A C

Editor's Notes

  1. [60] Normalnie takie rzczy sa po patchowaniu. Skrypt – informacja – RDP Operational Prefetch – mimikatz.
  2. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys? 1. Indexing service
  3. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  4. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  5. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  6. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  7. [30]
  8. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  9. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  10. [50]How can we use MSDCC2 within the attack? Is it really useless for bad guys?
  11. Licence: Common