1 / 35

Unmasking Administrator’s Evil SIM 306

Unmasking Administrator’s Evil SIM 306. Paula Januszkiewicz IT Security Auditor , MVP, MCT CQURE paula@cqure.pl. Agenda. Introduction. Admin Even Worse !. Summary. 5. 1. 2. 3. 4. Bad Admin. Non- T echnical I ssues. Introduction. Innocent Games. Task Manager Is Not Enough.

candace
Download Presentation

Unmasking Administrator’s Evil SIM 306

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UnmaskingAdministrator’sEvilSIM 306 Paula Januszkiewicz IT Security Auditor, MVP, MCT CQURE paula@cqure.pl

  2. Agenda Introduction AdminEvenWorse! Summary 5 1 2 3 4 Bad Admin Non-Technical Issues

  3. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  4. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  5. Innocent Games • WINLOGON • Supports user authentication • Special session in OS with strong limitations • …but this is a session and can be owned • Image Hijacks • Attachesdebugger to anexecutable file • OS does not checkif a file is a debugger Source: Photosur@flickr

  6. WINLOGONImage Hijacks The scenario of the deleted account demo

  7. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  8. Task Manager is Not Enough • Tool for homeusers • Power of Kernel Mode: • No rules • Almost no management • No security • No time limits • Driver is the method to get to KernelMode!

  9. Task Manager vs. Windows Debugger Under the cover - Processes demo

  10. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  11. Explorer Is Not Enough • Let’smakeitclear: • Ifyouremoveadmin’saccess, he WILL NOT be impressed • Rights • Should be usedaccording to somepatterns • Should be audited • BackupRead/ BackupWrite • Copy operation that is more important that ACLs • Used by backup software

  12. Under the Cover Files

  13. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  14. MoveFileExFunction • Documented in MSDN: „Moves an existing file or directory, including its children, with various move options.” • MOVEFILE_DELAY_UNTIL_REBOOT flag • Can rename and delete files during next reboot • Justafter autochk • Longbefore normal protection mechanisms start • Storesdata in registry (PendingFileRenameOperations) • By default ignores system files

  15. Till The Next Restart Broken Server Scenario demo

  16. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  17. Diagnostic and Recovery Toolset • Helpsto diagnose and repair a system • Support for • Windows 7 (x86 and x64 architectures) • Windows Server 2008 R2 (x86 and x64 architectures) • Allowresetting of localaccountpasswords • Useful for offlineactivities

  18. File Tracing Tracing of whatcouldhappen demo

  19. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  20. Data Trickling • Performregular network tracing • Useful not onlyin criticalsituations • Someapplicationssendsensitive data over the wire • Perform port scanning on the edge • Eviladminmaylisten to your network

  21. Watchdog Service Adminisstillworking demo

  22. DNS Tunneling Interestingway of sendingfiles

  23. Entry TTL! Ouch!

  24. EntryTTL Unappropriate attribute usage demo

  25. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  26. AdministratorsTake Shortcuts • Technical „power” against people having 100% power • Non-technical issues • Law • Rules and compliance • Documentation • Rotateresponsibilities • External audits

  27. Introduction Innocent Games Task Manager Is Not Enough Explorer Is Not Enough MoveFileExFunction Diagnostic and Recovery Toolset Data IsTrickling Administrators Take Shortcuts Summary

  28. Be Proactive! • Infrastructure must be well documented • Split and rotate tasksbetweenadmins • Use the legalcode • Performperiodicalchecks • Autoruns • Kernel Level Files • Network Traffic • Processes Source: Heard.TypePad.com

  29. ThankYou!

  30. Required Slide Complete an evaluation on CommNet and enter to win!

  31. Resources • EZNamespaceExtensions.Netv2011 • http://blogs.technet.com/b/plitpromicrosoftcom/ • Thanks to: • Grzegorz Tworek • Bartosz Kierun

  32. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  33. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related