Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers...
-
Upload
paula-januszkiewicz -
Category
Education
-
view
1.155 -
download
1
Transcript of Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers...
![Page 1: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/1.jpg)
Explore adventures in the underland: Forensic techniques against hackers evading the hook
Paula JanuszkiewiczCQURE: CEO, Penetration Tester / Security ExpertCQURE Academy: TrainerMVP: Enterprise Security, MCTContact: [email protected] | http://cqure.us
@paulacqure @CQUREAcademy
![Page 3: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/3.jpg)
There is pretty much always something you can find…
![Page 4: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/4.jpg)
Searching for a Trace: DiskDiskProfile, NTUSERRun dialogMost Recently Used (MRU), Management Console (MMC)Remote Desktop connectionsPrefetch filesRecent documentsAutomatic Destinations (LNK)Security LogRDP Operational LogApplication LogsTemporary Internet FilesDeleted files – recoverable from the diskNTFS StructuresHiberfil.sysMemory dumps
![Page 5: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/5.jpg)
Demo: Data on Disk Analysis
![Page 6: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/6.jpg)
Techniques for Hiding vs. Recovering Data
File Level GamesExtension changeJoining filesAlternative data streamsEmbeddingPlaying with the contentSteganographyDeletion
Disk Level GamesHiding dataEncryption
![Page 7: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/7.jpg)
Demo: Data Recovery
![Page 8: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/8.jpg)
Searching for a Trace: MemoryMemoryHandlesProcessesHidden Processes (ActiveProcessLinks)Files that can be extractedThreadsModules Registry API HooksServicesUserAssistShellbagsShimCacheEvent LogsTimeline
![Page 9: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/9.jpg)
Demo: Extracting Logs from Memory
![Page 10: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/10.jpg)
Demo: Dump Analysis
![Page 11: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/11.jpg)
Agenda
Intro
1
Proactive Monitoring
32
Passive Data Collection
4
Summary
![Page 12: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/12.jpg)
SysmonEntry InformationAllows to build an attack timelineAllows to define an entry point and anomaliesCollects and records system events to the Windows event logIt is free and easy to set up
Good practicesFilter out uninteresting events (image loads etc.)Make sure event log is big enoughCentralize the events in a separate server
You can download Sysmon from Sysinternals.com
![Page 13: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/13.jpg)
Demo: Sysmon in Action
![Page 14: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/14.jpg)
Sysmon: Events and Filtering ExamplesFiltering RulesInclude thread injections into lsass:<CreateRemoteThread onmatch="include">
<TargetImage condition="image">lsass.exe</TargetImage> </CreateRemoteThread >
Exclude all Microsoft-signed image loads:<ImageLoad onmatch="exclude">
<Signature condition="contains">Microsoft</Signature> <Signature condition="contains">Windows</Signature>
</ImageLoad>
Recorded EventsEvent ID 1: Process creationEvent ID 2: A process changed a file creation timeEvent ID 3: Network connectionEvent ID 4: Sysmon service state changedEvent ID 5: Process terminatedEvent ID 6: Driver loadedEvent ID 7: Image loadedEvent ID 8: CreateRemoteThreadEvent ID 9: RawAccessReadEvent ID 10: ProcessAccess
![Page 15: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/15.jpg)
Demo: Sysmon Customized
![Page 16: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/16.jpg)
Demo: Sysmon and Network+ getting info about the IP addresses
![Page 17: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/17.jpg)
Forensics adventures: Summary Make sure all tracing features on the drive and in the system are enabled: USN, Prefech etc. Image first then play Create Incident Response Procedure (most of the Customers we start the adventure with do not have it…)
![Page 19: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/19.jpg)
![Page 21: Microsoft Ignite session: Explore adventures in the underland: forensic techniques against hackers evading the hook](https://reader035.fdocuments.in/reader035/viewer/2022062503/586e730e1a28ab99598b5307/html5/thumbnails/21.jpg)
From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp
Please evaluate this sessionYour feedback is important to us!