11/12/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/12/2018 Hacker’s Perspective on Your Windows Infrastructure Mandatory Check List CDP-B371 Paula Januszkiewicz MVP: Enterprise Security, MCT CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer Contact: paula@cqure.us | http://cqure.us © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tools! Our tools: http://cqure.pl  Tools 11/12/2018 12:30 PM Tools! Our tools: http://cqure.pl  Tools Check out the following links: http://www.gentilkiwi.com/ - Benjamin Delpy http://www.ntdsxtract.com/ - Csaba Barta © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session Goal Be familiar with the possibilities of the operating system From the user mode and kernel mode We are NOT talking about the forensics! … just doing a little hacking + conclusions My goal: See one of the ways hacker can act

Agenda Introduction 1 4 Summary 2 Mandatory Checklist

Stay Anonymous TOR Network Ready to use solution to anonymize the traffic Source of the DDoS attacks Tor protects by bouncing communications around a distributed network Proxy, Virtual Private Networks, Dial-up, Host Bouncing To prevents others from learning your location or browsing habits Support HTTP and HTTPS connections NAT Connections NAT enforces to take compromise in anonymity Issue: You need to find the way to leave the backdoor

Anonymize the traffic Know the services Hacker’s Fundamentals

Know your victim From the network perspective 11/12/2018 Know your victim From the network perspective Public services, IP address range etc. Business model Branch connections Potential points of entry From the habits perspective Corporate policy Administrator’s friends and hobby User’s habits © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Attack Users Users Administrators Users rarely have software up to date Awareness issues ... But for hacker it may be not enough Administrators Local account Password reuse for workstations Different password for workstations Domain account Domain user being local administrator Domain administrator

Scripts are Cool

Make your backdoor persistent Services DLLs Startup (Menu Start) Task Scheduler LSA Providers Run, Run Once GPO Notification Package Winlogon Image Hijacking Drivers Etc.

Stay Persistent

11/12/2018 Stay undetected If you are not ready to attack: stay stealth and do not change the system behavior Hide your traces Processes Files Infrastructure performance Network traffic Server / Client Platform Performance © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Stay undetected

Leverage your position 11/12/2018 Leverage your position … and find more victims Make recognition where you can get in (ADMIN$) Service Accounts Connection Strings / Application Pool LSA Secrets Inappropriate permissions © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Victim Recon

Use victims to attack more targets 11/12/2018 Use victims to attack more targets Create the remotely controlled network Automate next scans Create your own botnet What can be the hacker’s goal in your infrastructure? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Introduction 1 4 Summary 2 Mandatory Checklist

Summary for Hackers Stay Anonymous Know your victim Use the social skills Stay persistent Stay undetected Use victims to attack more targets

Summary for Administrators Learn how to detect malicious situations Know your system when it is safe – you need a baseline If you detect a successful attack – do not try to fight Report the issue Investigate and do an IT Audit Estimate the range of the attack Know how to recover your data, when necessary

Resources Learning TechNet Developer Network 11/12/2018 Resources Sessions on Demand http://channel9.msdn.com/Events/TechEd Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Developer Network http://developer.microsoft.com © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

For more information Windows Server System Center Azure Pack Windows Server Technical Preview http://technet.microsoft.com/library/dn765472.aspx Windows Server System Center System Center Technical Preview http://technet.microsoft.com/en-us/library/hh546785.aspx Azure Pack http://www.microsoft.com/en-us/server-cloud/products/ windows-azure-pack Microsoft Azure http://azure.microsoft.com/en-us/ Come visit us in the Microsoft Solutions Experience (MSE)! Look for the Cloud and Datacenter Platform area TechExpo Hall 7

Azure Exams EXAM 532 Developing Microsoft Azure Solutions Implementing Microsoft Azure Infrastructure Solutions EXAM 533 (Coming soon) Architecting Microsoft Azure Solutions EXAM 534 http://bit.ly/ Azure-Cert + Classroom training (Coming soon) Microsoft Azure Fundamentals MOC 10979 MOC 20532 Developing Microsoft Azure Solutions Implementing Microsoft Azure Infrastructure Solutions MOC 20533 2 5 5 http://bit.ly/ Azure-Train Online training (Coming soon) Microsoft Azure Fundamentals MVA (Coming soon) Architecting Microsoft Azure Solutions MVA http://bit.ly/ Azure-MVA Get certified for 1/2 the price at TechEd Europe 2014! http://bit.ly/ TechEd-CertDeal

Please Complete An Evaluation Form Your input is important! 11/12/2018 Please Complete An Evaluation Form Your input is important! TechEd Mobile app Phone or Tablet QR code TechEd Schedule Builder CommNet station or PC © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Evaluate this session 11/12/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/12/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.