1 / 31

Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces

Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces. Paul a Januszkiewicz Penetration Tester , MVP: Enterprise Security, MCT iDesign - CQURE: pa ula @ idesign.net. Agenda. Accountability Idea. Hiding & Detecting. 1. 2. 3. 4. Delivery & Launch. Summary .

adair
Download Presentation

Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Crouching Admin, Hidden HackerTechniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign - CQURE: paula@idesign.net

  2. Agenda Accountability Idea Hiding & Detecting 1 2 3 4 Delivery & Launch Summary

  3. Operating System Accountability Windows 7 is designed to be used securely • Achieved Evaluation Assurance Level (EAL) 4+ certification that meets Federal Information Processing Standard (FIPS) #140-2 • Has C2 certification (Trusted Computer System Evaluation Criteria) • Passed the Common Criteria Certification process The above means that every step leaves some trace!

  4. Agenda Accountability Idea Hiding & Detecting 1 2 3 4 Delivery & Launch Summary

  5. Operating System Logging Mechanisms • Event Log • Extendable • Supported by API • Plain text files (.log) • Kernel traces • Notifications • SQL (ODBC) • Application related http://www.clearci.com

  6. demo http://stderr.pl/cqure/tools.zip

  7. demo Logs Less & More Advanced

  8. Hacker’s Delivery • Binaries are delivered • With files from the Internet • On the removable media • Through LAN • Through offline access • By manipulating legitimate files • Using vulnerabilities • Buffer overflows http://www.batwinas.com

  9. demo Replacing Files

  10. demo "Vulnerabilities"

  11. demo Services & ACLs

  12. Launching Evil Code • Cheating administrator • Using automated ways • Explorer • Services • Drivers • DLLs • Replacing files • Path manipulation • Injecting code • Hooking calls

  13. demo Services (In)Security

  14. demo From A to Z - DLLs

  15. demo Stuxnet Drivers

  16. Areas of Focus • Problem: • Too much information to control • Solution: • Select areas with high probability of infection • DLLs • Services • Executables • Drivers • This attitude works as a first step

  17. Agenda Accountability Idea Hiding & Detecting 1 2 3 4 Delivery & Launch Summary

  18. Dirty Games: Protection Mechanisms • Introduced in Windows Vista • Part of Digital Rights Management • Protection is provided in two ways • Extension to the EPROCESS structure • Signing policy • ProtectedProcess bit

  19. demo Protected Processes

  20. Dirty Games: Hiding Mechanisms • Bypassing neighbored process objects • Pointing the pointer • nt!_eprocessActiveProcessLinksmanipulation • Does not affect software operation • Threads are still visible

  21. demo Hidden Processes

  22. Dirty Games: Hooks • Allow to run our code instead of the system code • Work on running code • Allow to intercept API Calls • Does not require special privileges • Useful for developers • … and for the ‘bad guys & girls’ http://www.lukechueh.com/

  23. demo Hooking

  24. 3 of 10 Immutable Laws of Security • Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore • Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore • Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

  25. demo Passwords In Operating System

  26. Agenda Accountability Idea Hiding & Detecting 1 2 3 4 Delivery & Launch Summary

  27. Summary • Learn how to detect malicious situations • Know your system when it is safe – you need a baseline • If you detect a successful attack – do not try to fight • Report the issue • Format your drive • Estimate the range of the attack • Know how to recover your data, when necessary

  28. Related Content • Breakout Sessions (SIA203, SIA311, SIA304, SIA307) Find Me Later At TLC

  29. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  30. Evaluations Submit your evals online http://europe.msteched.com/sessions

  31. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related