Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified...
-
Upload
eustacia-harrison -
Category
Documents
-
view
219 -
download
2
Transcript of Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified...
![Page 1: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/1.jpg)
Ing. Ondřej Ševeček | GOPAS a.s. |
MCSM:Directory |MVP:Enterprise Security |
CEH:Certified Ethical Hacker |CHFI:Computer Hacking Forensic Investigator |
[email protected] |www.sevecek.com |
Infrastructure(in)security
![Page 2: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/2.jpg)
Agenda
Where antimalware fails? Where admin fails!
![Page 3: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/3.jpg)
Custom code Antimalware detects only well-known code
signatures– heuristics?
PowerShell, C#, ASP, …
Take a look at this…
![Page 4: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/4.jpg)
Limited user Hardware keylogger * Software keylogger *
– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=416
Never type sensitive passwords on insecure machines
![Page 5: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/5.jpg)
What to do with a password? Try if any other account does not have the
same password *– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=387
Never use the same password twice
![Page 6: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/6.jpg)
UAC will keep me secure No
– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=404
It works only locally– code started manually *
Do not work under sensitive accounts Use personal limited accounts
![Page 7: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/7.jpg)
That guys are local admins! Hack local admin *
– system partition unencrypted– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=213
Any workstation is compromised Encrypt system with BitLocker and TPM
– users must not know the password
![Page 8: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/8.jpg)
UAC will keep me secure No It works only locally
– code injected through "autorun" *
Do not work under sensitive accounts on insecure machines
![Page 9: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/9.jpg)
Audit tools? Antimalware? Autoruns?
– does not verify PowerShell code *– trusts in what you yourself trust *– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=235
Every tool can be fooled
![Page 10: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/10.jpg)
Web servers Third party suppliers Local limited admins
– impersonation *– basic delegation *– Kerberos delegation *
• https://www.sevecek.com/Lists/Posts/Post.aspx?ID=101
Never access applications with privileged accounts
![Page 11: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/11.jpg)
RDP is plain-text authentication Unfortunately
– passwords can be extracted from LSASS memory *
– https://www.sevecek.com/Lists/Posts/Post.aspx?ID=360
Use MMC, RPC, DCOM, WMI, C$, Admin$, REGEDIT or SCCM Remote Tools instead– authenticates with Kerberos
![Page 12: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/12.jpg)
LSASS extraction made nice Just let the admin access your web site
– passwords can be extracted from LSASS memory *
Again, never access applications with privileged accounts
![Page 13: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/13.jpg)
Stolen CA NTAuth CAs issue logon certificates
independently from DCs– never appears on CRL *
Do not let them take your CA
![Page 14: Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d215503460f949f647c/html5/thumbnails/14.jpg)
Thank you!
and also come to GOPAS:– GOC169 - Auditing ISO/IEC 27001 and 27002– GOC171 - Active Directory Troubleshooting– GOC172 - Kerberos Troubleshooting– GOC173 - Enterprise Cryptography and PKI– GOC175 - Advanced Windows Security