1. 11/12/2018
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. 11/12/2018
Hacker’s Perspective on Your Windows Infrastructure Mandatory Check List CDP-B371
Paula Januszkiewicz
MVP: Enterprise Security, MCT
CQURE: CEO, Penetration Tester / Security Expert
CQURE Academy: Trainer
Contact: |
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Tools! Our tools: http://cqure.pl  Tools
11/12/ :30 PM
Tools!
Our tools:  Tools
Check out the following links:
- Benjamin Delpy
- Csaba Barta
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Session Goal
Be familiar with the possibilities of the operating system
From the user mode and kernel mode
We are NOT talking about the forensics!
… just doing a little hacking + conclusions
My goal: See one of the ways hacker can act

5. Agenda
Introduction 1 4
Summary 2
Mandatory Checklist

6. Stay Anonymous TOR Network
Ready to use solution to anonymize the traffic
Source of the DDoS attacks
Tor protects by bouncing communications around a distributed network
Proxy, Virtual Private Networks, Dial-up, Host Bouncing
To prevents others from learning your location or browsing habits
Support HTTP and HTTPS connections
NAT Connections
NAT enforces to take compromise in anonymity
Issue: You need to find the way to leave the backdoor

7. Anonymize the traffic Know the services
Hacker’s Fundamentals

8. Know your victim From the network perspective
11/12/2018
Know your victim
From the network perspective
Public services, IP address range etc.
Business model
Branch connections
Potential points of entry
From the habits perspective
Corporate policy
Administrator’s friends and hobby
User’s habits
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Attack Users Users Administrators
Users rarely have software up to date
Awareness issues
... But for hacker it may be not enough
Administrators
Local account
Password reuse for workstations
Different password for workstations
Domain account
Domain user being local administrator
Domain administrator

10. Scripts are Cool

11. Make your backdoor persistent
Services
DLLs
Startup (Menu Start)
Task Scheduler
LSA Providers
Run, Run Once
GPO
Notification Package
Winlogon
Image Hijacking
Drivers
Etc.

12. Stay Persistent

13. 11/12/2018
Stay undetected
If you are not ready to attack: stay stealth and do not change the system behavior
Hide your traces
Processes
Files
Infrastructure performance
Network traffic
Server / Client Platform Performance
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Stay undetected

15. Leverage your position
11/12/2018
Leverage your position
… and find more victims
Make recognition where you can get in (ADMIN$)
Service Accounts
Connection Strings / Application Pool
LSA Secrets
Inappropriate permissions
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Victim Recon

17. Use victims to attack more targets
11/12/2018
Use victims to attack more targets
Create the remotely controlled network
Automate next scans
Create your own botnet
What can be the hacker’s goal in your infrastructure?
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Agenda
Introduction 1 4
Summary 2
Mandatory Checklist

19. Summary for Hackers Stay Anonymous Know your victim
Use the social skills
Stay persistent
Stay undetected
Use victims to attack more targets

20. Summary for Administrators
Learn how to detect malicious situations
Know your system when it is safe – you need a baseline
If you detect a successful attack – do not try to fight
Report the issue
Investigate and do an IT Audit
Estimate the range of the attack
Know how to recover your data, when necessary

21. Resources Learning TechNet Developer Network
11/12/2018
Resources
Sessions on Demand
Learning
Microsoft Certification & Training Resources
TechNet
Resources for IT Professionals
Developer Network
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. For more information Windows Server System Center Azure Pack
Windows Server Technical Preview
Windows Server
System Center
System Center Technical Preview
Azure Pack
windows-azure-pack
Microsoft Azure
Come visit us in the Microsoft Solutions Experience (MSE)!
Look for the Cloud and Datacenter Platform area TechExpo Hall 7

23. Azure
Exams
EXAM
532
Developing Microsoft Azure Solutions
Implementing Microsoft Azure Infrastructure Solutions
EXAM
533
(Coming soon)
Architecting Microsoft Azure Solutions
EXAM
534
Azure-Cert +
Classroom
training
(Coming soon)
Microsoft Azure Fundamentals
MOC
10979
MOC
20532
Developing Microsoft Azure Solutions
Implementing Microsoft Azure Infrastructure Solutions
MOC
20533 2 5 5
Azure-Train
Online
training
(Coming soon)
Microsoft Azure Fundamentals
MVA
(Coming soon)
Architecting Microsoft Azure Solutions
MVA
Azure-MVA
Get certified for 1/2 the price at TechEd Europe 2014!
TechEd-CertDeal

24. Please Complete An Evaluation Form Your input is important!
11/12/2018
Please Complete An Evaluation Form Your input is important!
TechEd Mobile app
Phone or Tablet
QR code
TechEd Schedule Builder
CommNet station or PC
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Evaluate this session 11/12/2018
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. 11/12/2018
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.