Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign.

Published byJacob Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign."— Presentation transcript:

1 Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign - CQURE: paula@idesign.net

2 Accountability IdeaHiding & Detecting 1234 Delivery & LaunchSummary

3 The above means that every step leaves some trace! Windows 7 is designed to be used securely Achieved Evaluation Assurance Level (EAL) 4+ certification that meets Federal Information Processing Standard (FIPS) #140-2 Has C2 certification (Trusted Computer System Evaluation Criteria) Passed the Common Criteria Certification process

4 Accountability IdeaHiding & Detecting 1234 Delivery & LaunchSummary

5 http://www.clearci.com Event Log Extendable Supported by API Plain text files (.log) Kernel traces Notifications SQL (ODBC) Application related

6 demo http://stderr.pl/cqure/tools.zip

7 demo Logs Less & More Advanced

8 http://www.batwinas.com Binaries are delivered With files from the Internet On the removable media Through LAN Through offline access By manipulating legitimate files Using vulnerabilities Buffer overflows

9 demo Replacing Files

10 demo "Vulnerabilities"

11 demo Services & ACLs

12 Cheating administrator Using automated ways Explorer Services Drivers DLLs Replacing files Path manipulation Injecting code Hooking calls

13 demo Services (In)Security

14 demo From A to Z - DLLs

15 demo Stuxnet Drivers

16 Problem: Too much information to control Solution: Select areas with high probability of infection DLLs Services Executables Drivers This attitude works as a first step

17 Accountability IdeaHiding & Detecting 1234 Delivery & LaunchSummary

18

19 demo Protected Processes

20 Bypassing neighbored process objects Pointing the pointer nt!_eprocess ActiveProcessLinks manipulation Does not affect software operation Threads are still visible

21 demo Hidden Processes

22 http://www.lukechueh.com/

23 demo Hooking

24

25 demo Passwords In Operating System

26 Accountability IdeaHiding & Detecting 1234 Delivery & LaunchSummary

27 Learn how to detect malicious situations Know your system when it is safe – you need a baseline If you detect a successful attack – do not try to fight Report the issue Format your drive Estimate the range of the attack Know how to recover your data, when necessary

28 Breakout Sessions (SIA203, SIA311, SIA304, SIA307) Find Me Later At TLC

29 Connect. Share. Discuss. http://europe.msteched.com Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

30 Evaluations http://europe.msteched.com/sessions Submit your evals online

31

Download ppt "Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign."

Similar presentations

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Introducing the New Visual Studio 2012 Unit Testing Experience Peter Provost Sr. Program Manager Lead Microsoft Corporation DEV214.

Introducing the New Visual Studio 2012 Unit Testing Experience Peter Provost Sr. Program Manager Lead Microsoft Corporation DEV214.
Troubleshooting Windows 7 Deployments Michael Niehaus Senior Program Manager Microsoft Corporation.

Troubleshooting Windows 7 Deployments Michael Niehaus Senior Program Manager Microsoft Corporation.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Session Goal Be familiar with the possibilities of the operating system From the user mode and kernel mode We are NOT talking about the forensics!

Session Goal Be familiar with the possibilities of the operating system From the user mode and kernel mode We are NOT talking about the forensics!
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Data Mining 2012 with Microsoft Excel 2010 and PowerPivot Mark Tabladillo, Ph.D. Microsoft MVP, Data Mining Architect MarkTab Consulting DBI204.

Data Mining 2012 with Microsoft Excel 2010 and PowerPivot Mark Tabladillo, Ph.D. Microsoft MVP, Data Mining Architect MarkTab Consulting DBI204.
Auditing in Microsoft SQL Server 2012 Il-Sung Lee Program Manager Microsoft Corporation DBI407.

Auditing in Microsoft SQL Server 2012 Il-Sung Lee Program Manager Microsoft Corporation DBI407.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Deep Application Management with Microsoft System Center 2012 Configuration Manager Adwait Joshi Senior Product Marketing Manager Microsoft Corporation.

Deep Application Management with Microsoft System Center 2012 Configuration Manager Adwait Joshi Senior Product Marketing Manager Microsoft Corporation.
Data Mining 2012 with Microsoft Excel 2010 and PowerPivot Mark Tabladillo, Ph.D. Microsoft MVP, Data Mining Architect MarkTab Consulting DBI204.

Data Mining 2012 with Microsoft Excel 2010 and PowerPivot Mark Tabladillo, Ph.D. Microsoft MVP, Data Mining Architect MarkTab Consulting DBI204.
Paula Januszkiewicz IT Security Auditor, MVP, MCT ISCG Session Code: SIA308.

Paula Januszkiewicz IT Security Auditor, MVP, MCT ISCG Session Code: SIA308.
Top 10 Production Experiences with Service Manager and Orchestrator Nathan Lasnoski Infrastructure Architect Microsoft MVP Concurrency.

Top 10 Production Experiences with Service Manager and Orchestrator Nathan Lasnoski Infrastructure Architect Microsoft MVP Concurrency.
Office Deployment – Notes from the Field Richard Smith Solution Architect – Services Client Solutions Microsoft Corporation OSP340.

Office Deployment – Notes from the Field Richard Smith Solution Architect – Services Client Solutions Microsoft Corporation OSP340.
Branding and Customizing My Sites with Microsoft SharePoint Server 2010 John Ross & Randy Drisgill MVPs Rackspace Hosting OSP337.

Branding and Customizing My Sites with Microsoft SharePoint Server 2010 John Ross & Randy Drisgill MVPs Rackspace Hosting OSP337.
Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.

Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.
Step-by-Step Building Search Driven Applications That Matter Scot Hillier SharePoint MVP Scot Hillier Technical Solutions, LLC OSP336.

Step-by-Step Building Search Driven Applications That Matter Scot Hillier SharePoint MVP Scot Hillier Technical Solutions, LLC OSP336.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

Similar presentations

Ads by Google