Post on 13-Dec-2015
Crouching Admin, Hidden HackerTechniques for Hiding and Detecting Traces
Paula JanuszkiewiczPenetration Tester, MVP: Enterprise Security, MCTiDesign - CQURE: paula@idesign.net
Agenda
Accountability Idea Hiding & Detecting
1 2 3 4
Delivery & Launch Summary
Operating System Accountability
The above means that every step leaves some trace!
Windows 7 is designed to be used securelyAchieved Evaluation Assurance Level (EAL) 4+ certification that meets Federal Information Processing Standard (FIPS) #140-2Has C2 certification (Trusted Computer System Evaluation Criteria)Passed the Common Criteria Certification process
Agenda
Accountability Idea Hiding & Detecting
1 2 3 4
Delivery & Launch Summary
Operating System Logging Mechanisms
http://www.clearci.com
Event LogExtendableSupported by API
Plain text files (.log)
Kernel traces
Notifications
SQL (ODBC)
Application related
demo
http://stderr.pl/cqure/tools.zip
demo
Logs Less & More Advanced
Hacker’s Delivery
htt
p:/
/ww
w.b
atw
inas.
com
Binaries are deliveredWith files from the InternetOn the removable mediaThrough LANThrough offline accessBy manipulating legitimate filesUsing vulnerabilitiesBuffer overflows
demo
Replacing Files
demo
"Vulnerabilities"
demo
Services & ACLs
Launching Evil Code
Cheating administrator
Using automated waysExplorerServicesDriversDLLs
Replacing files
Path manipulation
Injecting code
Hooking calls
demo
Services (In)Security
demo
From A to Z - DLLs
demo
Stuxnet Drivers
Areas of Focus
Problem: Too much information to control
Solution: Select areas with high probability of infection
DLLsServicesExecutablesDrivers
This attitude works as a first step
Agenda
Accountability Idea Hiding & Detecting
1 2 3 4
Delivery & Launch Summary
Dirty Games: Protection Mechanisms
Introduced in Windows VistaPart of Digital Rights Management
Protection is provided in two waysExtension to the EPROCESS structureSigning policy
ProtectedProcess bit
demo
Protected Processes
Dirty Games: Hiding Mechanisms
Bypassing neighbored process objects
Pointing the pointernt!_eprocess ActiveProcessLinks manipulation
Does not affect software operation
Threads are still visible
demo
Hidden Processes
Dirty Games: Hooks
http://www.lukechueh.com/
Allow to run our code instead of the system codeWork on running code
Allow to intercept API CallsDoes not require special privileges
Useful for developers… and for the ‘bad guys & girls’
demo
Hooking
3 of 10 Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
demo
Passwords In Operating System
Agenda
Accountability Idea Hiding & Detecting
1 2 3 4
Delivery & Launch Summary
Summary
Learn how to detect malicious situationsKnow your system when it is safe – you need a baseline
If you detect a successful attack – do not try to fight
Report the issueFormat your drive
Estimate the range of the attackKnow how to recover your data, when necessary
Related Content
Breakout Sessions (SIA203, SIA311, SIA304, SIA307)
Find Me Later At TLC
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be
a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.