Security BSides Amman 2019 - Advanced Windows Attacks & Defensive Techniques

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome I was honored to be talking at the fifth security beside conference in Jordan it was also great meeting with all the security professionals under one roof and engaging in great conversations I want to thank everyone who attended my session and upon the request I'm recording my session and we'll make it available for everyone my session is called advanced windows threats and defensive techniques if you really want to see how the bad guys can bypass your security controls and hack into your network then you are in the right place but don't worry I will teach you how to be prepared and share with you best practices on how to protect your network it is going to be a level 400 session with a lot of demos I am also uploading the presentation to SlideShare so you can view the slides anytime now let me introduce myself my name is Ahmad Hasan am certified information systems security professional and a Microsoft MVP I love sharing knowledge so you can see me author security courses at pura site one of the biggest and most respectful online training platforms today I also love writing about things I find interesting and recently I authored a book called cloud migration where I talk about the cloud reference architecture and cloud security talking and beside hermanas a remarkable experience for me and it's not just this conference I traveled the world and talk in other international conferences in the United States Europe and the Middle East the last couple of conferences I talked in where the Microsoft ignite in Orlando Florida and the modern workplace conference in Paris if you want to learn more about my community work and speaking events feel free to check the links in this slide and it would be great if we connect on social media so I can get your feedback on this presentation today we are going to do a lot of hacking I will start by hacking the windows services specifically I will show you how attackers can stop the antivirus service on your Windows machine to evade detection I will then hack Windows services running under the dome in admin account and show you how to steal the domain admin passwords in clear-text then we will work on Windows memory and we will try to hack into that dark protected area in memory where all password hashes are stored we will use these hashes to impersonate the local admin account on a machine and then use pass the hash technique to move to other machines using stolen hashes after that I'm going to show you the cipher killed chain and how you can use it to plan your security controls mainly I'm going to show you the pre preached side of the cyber kill chain and how to use Microsoft Defender ATP or advanced threat protection to detect and prevent attacks from happening and then I'm going to jump to the post preach side and show you how a I and machine learning can help you detect anomalies and detect lateral movement and here I'm going to show you how a sure ATP can help an anomaly detection in this demo I will show you how to stop the antivirus service which should not be an easy thing to do as these services are usually harden in a way that you cannot just go and stop them after the demo I will share with you links to tools and some reference articles so that you can try to hack the antivirus service yourself isn't that great if you watch movies where someone is trying to break into a secure location the first thing you try to do is to kill the alarms or to get the security Doc's to sleep this is how the thief can work freely inside the secure location without being detected in the computer world things are not different as well the first thing you want to do as an attacker is to kill the alarm which is the antivirus software so that you can download more tools from the internet and perhaps steal valuable information without being detected now we all know that the antivirus service is hardened in a way that you cannot just stop it even if you are the local admin on the machine but believe me when I say there are other ways to do that if you don't believe me let me show you in this demo how to stop the antivirus service in your Windows machine I am now at my demo machine and I will quickly open the services management console you can see a service called dummy service and this can be your antivirus service like McAfee or Symantec you can also see I cannot start or stop the service as it is hardened in a way that prevents any such interactions which is how we expect a good antivirus service to behave let me open a command prompt and you can see I am at the admin on this machine and even the local admin cannot stop the dummy service now let me use a tool called PS exec which is written by the famous mark russinovich the CTO of azure currently I'm going to use the - s - I and - D switches to impersonate the local system account now I'm running the command prompt using the local system account which is the most powerful account and windows and in theory it can do anything now if the local system tries to stop the deme service you can see I get an access denied so even the local system cannot stop the antivirus service so let me quickly clean the command prompt screen and talk about the security descriptor definition language or s DD and language using this language I can list the permission of any Windows service using this command SC which stands for service control and then s the show and the name of the service don't worry if you don't understand what this means at first because I'm going to help you figure this out this is the s DD a language and it is so easy to understand once you know how to read it now D stands for this section area access control a stands for allow permission the next long string is list of rights or things you can do to the service and then we have the security principle in this case BU stands for built end users sy stands for system account and ba stands for the belt and at traitor now to understand this long string that represents the rights and privileges a security principal has to a service I have listed couple of them for clarification purposes for example the built an administrator has the RC right which stands for read permission so built-in admins can read the permission of the service CR stands for reading extended rights and ll stands for reading objects what is missing though as the WP right which stands for write property this is what we need in order to start and stop services now let us search for our windows service that my user can start and stop like the workstation service for example you can see I have the permission to start and stop the service so let me quickly copy the service name and go back and view the SDL permissions of the service by running the SC as this show and the service name here you can see what permissions that built-in admins have which includes the WP permission and you can compare that with the permissions given to the built-in admins on our dummy service now I will quickly copy the sedl permissions of that dummy service to a notepad so we can have a closer look what I will do next is to copy the rights assigned to the built and admins on the workstation service and replace it to the rights assigned to the built-in admin on the dummy service this should do the trick after all now I use the SC sv set and the dummy service name to construct my new command and then I will paste it to an elevated command prompt running under the local service account you can see his default command and it shows it is running successfully the belt and admins now have the same rights on dummy service that they have on the workstation service including the WP right now if we go to the services management console and search for our dummy series you can see I can stop the service now mission accomplished throughout the demo I used many tools and talked about a lot of technologies so make sure to check these links for more information do you believe me now any Windows service can be stopped if you have the admin privileges so here is my challenge for you go to your Windows machine and try to locate your antivirus service in the services console and verify that it cannot be stopped from that console you might have McAfee Symantec or any other product now using the same techniques I showed you in the demo try to stop the service finally please share your results of this challenge in the comments below now that you know how to stop the antivirus service let's now hack some windows service accounts I will talk about the number one finding in any penetration test and one of the easiest way for an attacker to compromise your whole network it is like giving an attacker a priority pass or the keys to the kingdom saving him both time and effort did you guess what I'm talking about it is the nightmare for any security professional to have a Windows service running under the domain administrator account in almost every organization there is a service running under the domain admin account or at least other highly privileged account this is usually your backup service that needs to backup all the files including sequel databases exchange services and Active Directory you know I work in big organizations and I always here the backup team saying we need to run the backup shop under the domain admin account to backup the Active Directory but a better way is to run a schedule task in one of you two main controllers and that schedule tasks will be running under the local system and it invokes a PowerShell script now that partial script will take a backup of your Active Directory and copy the backup files to a remote secure file share we're your backup software can then go and take backup of these files without the need to expose you to main admin account another examples and scenarios where the domain admin is used to run services is when you are running security tools that connects to all your workstation and servers perhaps the scan for vulnerabilities these tools usually require admin rights on all machines what would be the easiest thing to do well let's use the domain admin account now a better advice and practice is to use group policies and configure a dedicated account to be member of the local admin group on all machine and using that dedicated account for your security scanning tool I also see people tending to use the domain admin account for almost everything because it's easier that way you don't need to think about what permissions to give all finding yourself facing error messages related to insufficient rights so why not to use the domain admin account for everything now the domain admin should only be used when you log into your domain controllers and troubleshooting or doing some Active Directory stuff nothing else now let me show you the risk of running a domain admin under a service account if an attacker gain access for example to a Windows machine and the domain admin account was used to run a Windows service then in this demo I will show you how easy it is to reveal the password of the domain admin account any clear text this is clear text and not the hash of the password even believe me when I say that the first thing attackers will do is to search for services running under the domain admin account and once they find one it's game over so let us dive into the demo and see how this works from the attacker perspective I'm looking into one of my servers and let me open the services console you can see I have a service running under the domain admin account if I open the service properties you can see under the log on tab the domain admin is used to run the service indeed which is a bad thing for your security team and a good thing for an attacker now the attacker wants to reveal the password of the domain admin account by hacking into the service by using a tool called se PD or service account password damn the attempt failed as you can see let me try to open a command prompt using the local system account which I can easily do by using a famous tool called PS exec written by the famous mark russinovich the city of azure now I have a command prompt and I'm impersonating the local system account on this machine which is the most powerful account on this machine now if I browse to my tools folder and run the same tool which is SAPD or service account password dumper tool and provide the service name guess what I can see now you are right I can see the password of the domain admin account in clear-text not the password hash the actual password in clear-text as you can see here when you run a service under a service account windows stores the password in a secure location in the registry so that the service can still run if the machine is disconnected from the network mission accomplished you can see how easy it is to reveal the password of service account if you are the administrator on Windows the password of a service account is stored locally in a secure location in the registry so that if the machine is offline or disconnected from the network the service can still keep running here is my challenge for you go to your Windows machine and try to locate one of your services running under a privileged service account try to reveal the password of the service account and share your result and feedback in the comments below I know that all this sounds scary and by now you should carefully consider what accounts used to run your services as a rule you should never ever use the domain admin account to run any Windows service and there is no exception whatsoever for doing this what about best practices that you should consider when planning your service accounts the best way to handle service account says to use managed service accounts they are available to you since Windows Server 2008 r2 and the password for such accounts are managed by your domain controllers there is also another variation of managed service accounts called Group managed service accounts that allow you to use the same managed service account across multiple machines think of an i is pool account that is shared across many front-ends notes the next thing you should consider is to give service accounts just enough privileges to carry on their purpose nothing more and nothing less and remember once an attacker hacks into a machine every account used on that box should be considered compromised including service accounts now during the demo I used many tools and talked about a lot of technologies so make sure to check these links for more information it's time to steal some password hashes and impersonate accounts to move laterally inside the network using pass the hash technique attackers love passwords and we ask security professionals hate them for their weaknesses and end users either write them down share them or use weak passwords that can be easily guessed but attackers are not after your password anymore they can do the same damage by only knowing your password hash the bad news is that Windows keep all password hashes in a protected area in memory if attackers can hack into that protected area they can access password hashes for every account using that Windows machine not only your password you think this is bad wait till you learn that attackers can use these hashes to connect to remote resources also using pass the hash technique and this is how attackers move inside your network usually undetected now do you want to see all this in action I'm sure you do so in this demo I'm going to show you how to hack into this protected area in memory and get access to all these hashes we talked about to make this demo more interesting we're going to steal the hash of the local administrator account and pass that hash to a nearby Windows machine and gain access to sensitive information this is known as pass the hash technique so let's start our demo let me start by opening a command prompt and verify what account I'm using and whether it is a local admin on the machine or not you can see that I'm running under an account that is member of the local administrator group now let me quickly clean the screen and browse to my tools folder and I want to find the tool called mini cats which is the number one forbidden tool by Microsoft and there is a good reason for that this tool dumps password from memory as well as hashes now let me run the tool and clean my screen and I will start by attaching it to a debugger by typing privileged debug you can see I get an error but don't worry this is intentional the reason is I need to run the command prompt with elevated droids so let me quickly open a command prompt with run as administrator browse to my tools folder and run mimikatz again now I will try to type the same comment debug privilege and you can see the common run successfully now this is possible because by default the local administrators group has debug privilege which we can quickly verify by opening the local group policies console browse to Windows settings security settings user write management and then search for debug programs here you can see that administrators have the right by default and you can see that assigning this right can be a security risk now let me go back to mini cards and now I will enable logging so that any output generated by this tool will be locked in a text file as you can see here now here is where the magic starts I will type secure ALS ALS a stand for local security authority so secure Elysee and then logon passwords fall to dump the hash is stored in memory for every account who logged onto this machine now all what you see here in the screen is a memory dump of all passwords in memory here is my user her mod and you can see different type of hashes for my password stored in memory and available to me using this tool and this is what allows Windows to any will single sign-on in the first place so that I don't need to type my password each time I access network resources that's why Windows stored password hashes in memory the most interesting part is the ntlm hash of my password now let us try to find another password hashes stored in memory just for fun and as you can see there are a lot of them here is an account called l3 admin which is level 3 admin it seems one of the three engineers locked onto this machine perhaps to solve a problem and we can see the ntlm hash for this account available for us let me try to open the loop file and search in the loop file just for clarity and try to find other password hashes specifically the password hash for the local admin on this machine which is called the master account we can see the domain is demo one which is the name of the Machine and this means this is a local user and here is the ntlm hash of the master account which is the default local administrator on that machine i will copy that hash and open a new notepad and paste the hash there for our next step later in this demo we will use this hash to connect to another machine called demo three using my account which is Hammar I don't have access to connect to a demo 3 machine which is a nearby machine in fact let me prove it to you very quickly I'm using PS exec to connect to demo 3 and you can see I don't have admin rights on that machine but if I am lucky enough the local admin password of my machine and demo 3 machine is the same password and since I have the hash of the local admin password in my notepad I can use mimikatz to have a functional command prompt using the context of the local admin just by passing the hash you can see the full command I use in mini carts I type secure LSA then the username as master the domain name as localhost since this is a local account and the ntlm hash I got earlier in my notepad now you can see I got a new functioning command prompt window let me put both windows next to each others the left side window is running under my account Hammad and the right side window is running under the built-in admin account now the confusing part is when we type Who am I on both windows I would expect the result to be master in the right side window which is the local admin but don't worry this is just how things work with these tools to prove it you remember my account could not connect to the monthly machine as you see here again now on the right side window you can see I'm using PS x'q again to connect to the monthly machine and the tool is taking time to establish a remote session on day one three using the master account password and since my machine and demo three machine both have a local admin account called master with the same password this command should work and bypassing the hash I have now a functional command prompt on a remote machine if I type hostname on both terminals you can see on the left side the hostname is demo 1 and on the right side the host name is demo 3 I can even browse the file system on the remote computer locate a secret folder and access the credit card information data machine accomplished what you can learn from the demo is that the debug privilege is very risky privilege you should use group policy to prevent anyone including administrators to have such fright unless you have specific needs also your users should not be admins on their machines they should be running under a normal account and perhaps use another separate admin account as we saw in the demo we used the hash of the local admin account to connect to a remote machine because the local admin password is the same across all machines you should always make sure to have different local admin passwords across your machines and to do that you can use the solution from Microsoft called local administrator password solution or labs in APs also as a best practice you should have your admins working with two machines one machine to access email and browse the web and a separate machine to perform highly privileged tasks this way if a malware was delivered through the web or email it cannot do much damage because your admins are using separate machine for admin tasks now one of the two machines can be a virtual machine and there is a great solution from Microsoft to implement that it is called the privileged admin workstation that I encourage you to look at finally you can disable the local admin and the guest accounts and all machines just in case here are some good references for you to learn more about some tools and technologies we talked about so far it's time for my favorite part of this session and be prepared as we go deep into how sophisticated cyber attacks happen and how you can as a security professional plan your security controls accordingly have you ever heard about the term cyber kale chane you might know what it means even if you don't recognize its name a cyber kill chain reveals the faces of a cyber attack from early reconnaissance to the goal of data exfiltration it can be used however by security professionals to improve network defenses on each stage of the cyber kill chain now let me show you how sophisticated attacks actually happened usually an attacker selects a target and do some researches to learn more about vulnerabilities this is usually called reconnaissance fees after doing all the research now the attacker is ready to move to the weaponization fees as he creates a malware trail to one of the vulnerabilities discovered guess what's the next step of course the attacker delivers the malware to the target via an email attachment USB Drive or any other possible way now that man were lives in the target machine and network the man will start a privilege escalation on the local machine to elevate it's right and installs an access point or a backdoor and then connects to the command and control center so that an intruder can now have remote access most of the time patient zero or the first machine being hacked is not interesting target by itself it just happened that it is the weakest entry point to attack the network so the attacker now started discovering machines and resources and move from one machine to another this is called lateral movement and he keeps moving until he gets the intended resource or credential this can be a domain admin credential or perhaps a database with high valuable information which is the data exfiltration fees the objective can also be data corruption or data destruction now usually it takes long time until someone discover is that an attack happened and then having forensic teams involved trying to understand how the attack happened in the first place what targets are compromised and what was the damage these phases together are called the cyber killed chain but remember we can design and plan our security strategy around the same phases of this skill chain you can either focus all your security efforts trying to prevent the attacker from installing a malware inside your network which is the pre preach security approach or you can focus your security efforts on detecting the lateral movement of an attacker after the attacker compromises a machine which is called post preach approach most security controls nowadays focus on the pre preach approach that is how to prevent the malware from getting delivered in the first place here you have signatures and packet filters that are good in recognizing non threats and then injecting the results in the form of antivirus signatures or intrusion detection based signature systems but with time attacks becomes more sophisticated and they start to adapt to evade detection using technologies like polymorphism and with that the defenses themselves start to evolve and we start seeing heuristics and behavioral rules being introduced into the security space including sandboxes where pieces of the content would be executed in a safe isolated environment and then monitored for signs of malicious behavior but the problem with this approach is that it really based on having identified threats and then constructing these rules and behaviors that looks for intruder to identify similar threats even if their signatures have changed the next wave however is machine learning promise of being able to get ahead of a threat and not being reliant of having to have found something before in order to be able to detect it for the first time and is driven by the introduction of zero-day malware that are coming out and the sophistication of the adversary was growing and therefore there was definitely a desire to get more sophisticated defenses the promise is being able to build super intelligent machine that would be able to reason its way through the high volume and velocity of that that is prevalent in the cyber environment such machine learning power can be used in the pre preach approach or the post preach approach when used in the post bridge approach machine learning model is trying to detect anomalies in the network that might be caused by a lateral movement of an attacker now that you know the cyber cave chain let me show you how to detect sophisticated malware attacks using the pre pre each approach I'm going to talk about Microsoft Defender ATT or advanced threat protection and how it helps you detect 0 the attacks and respond to emerging threats now that you know what is the cyber kill chain let us talk about the pre preached detection and prevention triplets detection and Prevention is focused on identifying threats early in the cyber kill chain and preventing the malware from installing of the target machine endpoint antivirus solution is the first and all this technology here but with time and as the sophistication of attacks increase we start seeing machine learning playing a big role one way of using machine learning at the endpoint level usually involves classification or supervised machine learning models the game is typically around classification most often being applied to a particular piece of content in the network so these are things like Windows executable PDF Word documents or networked streams that can be labeled as being malicious and the whole supervised technology is really really about starting with labeled data that feeds machine learning algorithms and they learn from those labels learn from the properties of the files or samples that goes into that machine learning system and then it predicts if the file is clean or not now Microsoft has great solution at the endpoint level that is called Microsoft Defender advanced threat protection or Microsoft Defender ATP that applies machine learning at the endpoint level to detect and prevents zero-day attacks I know most of you still don't consider Microsoft as a good security provider but Microsoft is changing their whole strategy when it comes to endpoint protection in fact the name when those defender is not just the antivirus we all used you know and perhaps choose not to trust now Microsoft Defender ATP or advanced threat protection is the new thing and it's a brand name that consists of many products not just only the anti-malware all those products are working together tightly using the power of the cloud and the signals from Microsoft threat intelligent to deliver a comprehensive solution that can protect endpoints from zero day attacks and most sophisticated malware out there as an example Windows Defender smart screen block low reputation web downloads and even malicious websites while Windows Defender endpoint protection monitors all windows processes and files and then terminates or cleans any infection found the next innovation that comes with Microsoft Defender ATP is the ability to automate the responses when an attack is detected which is possible through a recent acquisition to a company called hexa dyed so that security admins don't need to worry much about responding to threats as this is taken care of by the new automation capability and the new way of defending against attacks is by utilizing the power of the cloud and the intelligent security Groff at Microsoft Microsoft intelligent security graph provides rich signals from vast security intelligence machine learning and behavior analytics that Microsoft's allow you to consume and use to enhance your protection and addiction speeds so when Windows Defender encounters a new file for example that it does not know if it's bad or good file it sends a file query to the cloud hey cloud do you know about this file now if the cloud knows about these files it will provide a feedback to the endpoint otherwise it will ask the endpoint to send a sample that client holds the file and uploads the sample to the cloud the cloud services will process the sample and check against machine learning classifiers trying to find out whether that file is good or not and then if the file turned out to be holding a malicious code the cloud will generate a new signature to that file and send it back to the client not only to that client it will send it to all clients so that when they encounter this file they know already to block it now you can see that many pieces came together to defend against two days zero days attack you need a strong endpoint detect and respond engine at the endpoint level you need the power of the cloud to help you against zero day attacks and you need the power of machine learning and AI at the endpoint a data cloud to recognize new type of malware that are seen for the first time and you might be asking does this mean the client needs to consult the cloud and wait for an answer and what if there is no internet connection at that time well here is how things are designed each Microsoft defender client has local machine learning models and behavior based detection algorithms right so this means you can use all that logic offline without consulting the cloud this operation takes only milliseconds but the client can consult the cloud by sending only metadata only metadata so a cloud can use metadata beef's machine learning models to determine if the file is malicious or not this only take milliseconds also but if the cloud requested a sample then sample analysis based machine learning models are used in the cloud which might take seconds not milliseconds seconds now in certain scenarios detonation based machine learning models can be invoked which might take minutes and big data analysis can take up to hours what this means is that the client will not wait for minutes and hours if the file is infected and the cloud could not determine it is a bad file in seconds the client will allow the file to run in the background the cloud will continue working and analyzing and might do detonation based ml models and big data analysis to give the truth about that file so other clients are notified and updated although we lost patient zero or that initial client who encountered a file in the first place when it comes to the cyber kill chain we find that Microsoft Defender ATP fits in the advanced threat detection area trying to detect and prevent malware from installing and using machine learning to detect zero-day attacks now it's time for our demo finally now attacks that introduce file based malware using socially engineered emails are quite common recipients are tracked into launching a backdoor that gives that hackers control over what is now a compromised machine now this demo simulates that attack simulates the attack that are launched using a socially engineered word document in a spear phishing email the attack is designed to ensure that the receiver does not suspect a thing and opens the document the document however is weaponized with crafted macro code that silently drops and loads an executable file into that machine the executable then writes a registry key and creates a scheduled task both commonly known autostart extensible points after the attack finishes we can explore and understand how Microsoft Defender ATP detects and respond to the attack and enables prompt investigation and response in this demo I will start by importing a machine to Microsoft Defender ATP then I will open an infected document from the user machine the infected document drops a backdoor and creates a scheduled task for the resistance I will then show you how Microsoft Defender ATP can help you in all phases of the incident response management including detecting and incident mitigation and containment recovery and remediation you will then get a chance to explore the Microsoft Defender ATP management portal and see all the new features let's go to part one of this demo onboarding a machine to Microsoft Defender ATP in this demo we are going to onboard a demo machine to Microsoft Defender ATP do that I will go to Security Center at windows comm to access the management portal then settings and I will scroll down to find the onboarding section under machine management here you can see different ways to deploy Microsoft Defender ATP including Group Policy System Center Configuration Manager and a local script I will quickly choose local script and click download package I will run this script to my machine to unboard it to Microsoft Defender ATP and as you can see it takes couple of seconds now this machine is protected and managed by Microsoft Defender ATP so as you can see there is no need to install anything just running a script to guide this machine to report to the right Microsoft Defender ATP tenant and part 2 of this demo I'm going to deliver a malware to the demo machine let's pretend that this machine is a Windows machine of user who received this Word document it could be delivered to him by email a chat window or by any other means now with the user opens that document he sees this tempting yellow bar in the top to enable editing and then of course there is that macro bar that users cannot resist and they feel they need to hit that enable content a few seconds later a hidden powershell script is launched from this documents malicious macro and it performs the following actions first that macro drops an executable file which represents the backdoor onto the desktop folder then the scape goes on to create a scheduled task to launch the backdoor at a predefined time and finally when the backdoor is launched it creates an auto start entry under the registry run key allowing it to stay persistent by starting automatically with Windows you can also see that Microsoft Defender 80p detects what's happening and this is where we will continue the demo by logging on to the Microsoft Defender ATP management portal now that the malware is delivered to the user machine we are going in part three of this demo to detect and investigate the attack on Microsoft Defender ATP portal let's switch to our defender role and explore the attack from the soft point of view and the Microsoft defender ATP portal located at Security Center dot windows.com Microsoft Defender ATP applies correlation analytics and aggregate or related alerts into one incident entity allowing the stock analyst to understand and deal with complex threats across the organization with the right visuals as we see here let me select this incident and then open the incident page you can see in the incident page all alerts related to this incident all machines involved investigations evidence and graph here I'm at the alerts page reviewing the incident alert list and Falls the progression of the attack from this view you can dive into individual alerts you can also see all machines affected by this attack here we have three machines for example with high security risk the graph is also a great visualization that shows all machines involved in this attack and all entities involved so for our machine we can see there is a PowerShell script involved and you can see the hash value of that script the script creates a scheduled task to persist after reboots here is also the office word process that starts the whole attack when a user opened the infected word document and finally you can see executable file or backdoor that was dropped from the infected word document now let me go to the demo three machine and as you can see each machine protected by Microsoft Defender ATP has its own page on the machine page you can see different sections like alerts timeline security recommendations software inventory and discovered vulnerabilities you can see also the risk level of that machine the logged on user and basic information about the machine like the domain membership and operating system information let me open this alert as we try to reproduce how the attack took place the alert is a PowerShell dropped a suspicious file on this machine you can see the process 3 here we have the Windows Explorer l process and the word document that triggers the PowerShell script now that script the two things drops a backdoor and creates a scheduled task as you can see here you can also go deeper and see default PowerShell script that was invoked on that machine and the hash value of that script you can also see the hash value of the backdoor file and this is useful if we want to search if the same backdoor exists on other machines now if you want to know more details about this scheduled task that was created by this attack persist after reboots you can see here the comment used to create a scheduled task by the malware this is so powerful I will go to the alerts page again and let's open this alert suspicious PowerShell command line and as you can see you have the same process 3 and even an icy draw of showing all entities related to this PowerShell here you can see the same PowerShell script is invoked on a machine called demo one which is so important to know not only we discover the attack but now we can reimagine how it happens and what machines were infected I will go now to the machines timeline to get more details about all events happening on that machine to ease investigation here you can see each and every process activities recorded for every machine for example you can see we have the office click to run executable establishing a connection to a remote IP you can see the command line that was run the hash of the executable and the remote IP URL and even the port number now let me filter the timeline for alert related events and we now have a filtered view of all suspicious activities in that machine including these a special special command line and to show you how this is a powerful thing leaveme filter the view and search for PowerShell you can see immediately I can see all events and suspicious activities that involves PowerShell on this machine so for example I have a PowerShell created a script and the behavior is document exploit and we have the Windward dot exe created the process PowerShell here we have the context which is the user called master now we know that the word document created a process called PowerShell dot exe which invoked a suspicious PowerShell script that dropped a backdoor and created a scheduled task now that you learn how this attack took place it's time to take some actions I will go to the incident section and open the incident page for this attack you can see I have the action and assistant section here I can resolve the incident or assign the incident to me so that others in the sub team can acknowledge that I will be investigating this one before conducting the investigation however it's good idea to look at the reports dashboard it provides high-level information about alerts and Sheens related information generated in your organization the report includes trends and summary information on alerts and machines knowing the trends and summaries related to others and machines in your organization can help identify where focused improvements can be made for example if you see a sudden spike and a specific kind of alert you can drill down and start investigating directly from the relevant card to pivot into the alert or machine queue with the relevant filters applied and determined what action to take to address an issue finally I want to show you one of my favorite tools to help you investigate incidents remember that infected word document was found on the machine that drops a backdoor executable and invoked a suspicious PowerShell I can copy the hash of the word document and use the search bar to see if this word document exists on any of my other machines doing that gives me more information about this document like the digital signature and hash values and whether this document was seen on other organizations globally to give you more insight if this is a targeted attack or not you will also get alerts related to this document and the most important part is you get a list of machines with Microsoft Defender 80 pcs that filed a new organization in this case we have three machines where this word document get dropped this is important for you as a security professional because it's not just mitigating the threat on one machine but you really want to see if this attack spread to other machines and then cover all infected machines during your investigation before we end up this demo let me show you another interesting feature called automated investigation Microsoft Defender ATP can start an investigation and automate a lot of actions without human interactions and using machine learning here you can see Microsoft Defender ATP recognizes a dangerous tool called mimic at running on one of my machines and it automatically started an autumn investigation for me if you watch one of the famous crime-scene investigation or CSI TV series you know that investigators at the crime scene start by gathering evidences and ask witnesses to learn more about what just happened this is the same thing we have here under the investigation graph we have the dead body which is the machine or machines list we have the witness list people who might know more about this crime and in our case we have the entities analyzed so Microsoft Defender ATP is investigating 2342 files 150 processes in this machine 262 services and couple of drivers and the TV series the investigator will look at the list of phone calls made by the victim before the crime happens and here Microsoft Defender ATP is investigating the list of IP addresses this machine talked to during that period and all this investigation to all these entities is finished after 45 seconds only by defender ATP this is the true power of automation we have the list of alert part of this investigation list of machines infected a view of all entities involved in this investigation as you can see we have three thousand four hundred twenty entities involved here and the investigation log which is list of action Microsoft Defender ATP talk during this investigation and we have one pending action that defender ATP asked me to confirm before closing this investigation I already approved this pending action which is to quarantine Democrats folders and executable in part four of this demo we are going to log into Microsoft Defender ATP portal and collect investigation package from the infected machine when your forensic team is involved to understand how the attack happened and truly understand the depth of the attack the first thing they want to do is to collect as much information from the infected machine Microsoft Defender eight gives you the ability from the management portal to go and collect an investigation package that your forensic team can use so here I am logged to the Microsoft Defender ATP management portal and I can see I have couple of alerts and they have some machines at risks let me quickly choose demo 3 machine and open the machine page I can quickly see the risk level of that machine obviously there is one incident with seven active alerts so it might worth investigating you can see a list of actions in the top bar as this action you as security professional can perform remotely from the management portal without going to the machine itself one of the actions is collect investigation package if I click it this will send a request to the local Microsoft Defender ATP agent on that machine instructing it to collect forensic information right now from that machine and send the results back to the Microsoft defender ATP cloud services and then make it available to me as a security professional from the portal so that I can continue my investigation I already did that so in the Action Center I can see there is an item waiting for my review I can see the investigation package is now ready for me to review I will open it quickly and see what's inside here you can see a lot of information made available for you to help you in your investigation let me start by the auto runs as most attacks involve modifying the auto run on machines to persist after reboots so it's a good thing to review the author and configuration for the infected machine you also get a list of installed programs on that machine the list contains information about each application installed on the machine the date of installation and other more detailed information for you to review next we have the network connections very important piece of information if the attack is still happening on that machine you want to learn about what this machine is communicating with so here you have the active network connections on that machine including ports and IPS this machine is communicating with right now you can also get both DNS cache and ARP just in case DNS poisoning or ARP poisoning is taking place in this attack and to help you understand how the machine is performing name resolution you also get the firewall execution log and the IP configuration of the machine which might become handy for your forensic team the investigation package also includes a list of processes running on that machine which gives you deep inside about what is happening inside that box without even touching that machine you also get the scheduled tasks information to learn if an attacker creates a scheduled task on that machine perhaps to persist after reboots as you can see in the excel sheet here you get a lot of information about each scheduled task on that machine now my favorite one is the security event log here you can search inside the security log files of the infected machine and analyze all security events to help you understand more about the attack happening next you get a comprehensive information about services running on the remote machine including service name running state service account used to run each service and the associated process ID for running services you get also information about SMP sessions taking place on that machine because remember attackers might move from machine to another by using pass the hash technique and they can use SMP for lateral movement so here you get a list of all SMP sessions system information is another good information you get as part of the investigation package to learn more about the machine and the hardware profile finally you get information about all local groups on that machine as you can see here you also get information about session information so you can see that a user code master is connecting to this remote machine using RDP protocol you get a forensic investigation summary file containing information about how Microsoft Defender ATP collected all this information together for example Microsoft Defender ATP agent on that machine ran this command to collect the process list and generate a CSV file this can help you as a security professional to learn which commands you can use to collect forensic information which I believe is so handy in part 5 of this demo we are going to explore Microsoft Defender ATP remediation actions like running antivirus scan restrict app execution and isolate machine these can be considered your mitigation and containment tools in your incident response management I am at the Microsoft Defender ATP management portal and I can see I have many alerts in the active alerts section I can find all machines at risk here so I will check on the demo 3 machine to zoom in and see what's happening on that machine here you can get the risk level of the machine and all associated alerts in the bar above you also get list of actions you can do remotely to that machine as part of the investigation or response process you can remotely initiate an anti-virus scan to help identify and remediate malware that might be present on a compromised machine you can select the scan type that you'd like to run you can choose between a quick or a full scan I will type a comment and select yes to start the scan now immediately the Action Center shows the scan information as you can see here now on the machine itself you can see that the scan completed successfully returning back from the Microsoft Defender ATP management portal perspective the Machine time line will include a new event reflecting that a scan action was submitted on that machine Windows Defender Av alerts will reflect any detection that surfaced during the scan this action is available for machines on Windows 10 version 1 709 or later a Windows Defender antivirus scan can run alongside other antivirus solutions with a Windows Defender AV is the active antivirus solution or not so say for example you have Symantec AntiVirus running on that machine and you are not using Windows Defender anti-malware or real times you can still invoke a remote anti-virus scan from Microsoft Defender ATP portal and this will wake up the Windows Defender anti-malware engine if it is not the primary anti-malware service on that device and asked it to run a quick or full scan depending on your choice in addition to the ability of containing an attack by stopping malicious processes by running an anti-virus scan you can also look down the device so that only programs and executables signed by Microsoft are allowed to run on the device and anything else will be blocked this method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities so let us restrict app execution on the machine I will type a comment and select yes reselect app execution now immediately the Action Center shows that the app restriction comment is bending as I am running on the machine itself you can immediately see what the user can see on the machine I get a notification that the device is restricted along with a message explaining what is happening on that machine remember that this action only prevents any program not signed by Microsoft from running on that machine so the user can open Microsoft Office applications without any problems and even browse the web but if the user tries to install anything that's signed by Microsoft like for example installing Adobe Reader for example this action will be blocked along with a notification explaining to the end-user what just happened this is a good balance between security and usability from security perspective we are restricting executing malicious code but from the other side the user can open Outlook Excel and communicate using Microsoft themes for example so that he can still be productive while security team's investigating the problem now depending on the severity of the attack and the state of the machine you can choose to reveal the restriction of applications policy after you have verified that the compromised machine has been mediated and you can see the action appearing in the action center which becomes the hub of notification for all actions performed on that machine so you can track back all actions performed by you or anyone in the security operation team over time now that the app restriction is removed we can try to install Adobe Reader on the machine again and as you can see there is nothing preventing you from doing so now just keep in mind that for the app restriction to work you need two things first you need to be running Windows 10 version 1 709 or later and this feature is available if you are using Windows Defender antivirus as your malware engine now depending what the severity of the attack and the sensitivity of the machine you might want to isolate the machine from the network this action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement this machine isolation feature disconnects the compromised machine from the network while retaining connectivity to Windows Defender a tipi service which continues to monitor the machine so your machine will not be able to connect to any IP except the IPS of the Windows Defender a tipi cloud services so that you can keep an eye on what's happening on that machine and continue your investigation now if the machine is running Windows 10 version 1 709 or later you get another cool feature you can do a selective isolation which means you can see this machine is not allowed to connect to any IP except three services number one is the Microsoft Defender ATP cloud services the second one is the exchange online services and third is the Skype for business services as you can see here this means you don't want the user to be able to do anything on the machine in terms of network connectivity except using Outlook and Skype for business which makes it easier for the user to contact the help desk or the other way around it is easier for the security team to contact the user of the machine using Outlook or Skype for business explaining to him what is happening now if I choose to isolate the machine the end user of the machine will receive a notification card stating that the network is disabled and that your IT administrator has caused Windows Defender to disconnect your device and you should contact IT health discs now just a reminder the full isolation works for Windows 10 version 1 703 or later while the Selective isolation is available on Windows 10 version 1 709 or later selective isolation means the machine can only talk to Microsoft Defender ATP cloud services and allow the user to use Outlook and Skype for business now depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated in part six of this demo we are going to explore more features and Microsoft Defender ATP that helps you hardened your environment by following security and configuration recommendations from Microsoft we are going to explore secure score advanced hunting threat analytics ad threat and vulnerability management in the Microsoft Defender ATB I'm logged onto Microsoft Defender ATP management portal and I will go to the secure score section the security score dashboard expands your visibility into the overall security posture of your organization from this dashboard you will be able to quickly assess the security posture of you all organization see machines that require attention as well as recommendations for actions to further reduce the attack service in your organization all in one place from there you can take action based on the recommendation configuration baselines now the Microsoft security or tile you see here is a reflective of the sum of two things first the Windows Defender security controls that are configured according to the recommended baselines and the office 365 secure score it allows you to drill down into each portal for further analysis just in one place you can also improve this score by taking the steps in configuring each of the security controls in the optimal settings now let me go to the threat analytics section threat analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified the reports help you assess the impact of threats in your organization and provides recommended actions to contain increase organizational resilience and prevent specific threats so let me open this threat for example and you can see executive summary information and deep dive on how this threat actually works in a nice visual you also get some mitigation steps and detection details all to help you understand how this thread actually works the nice thing is that for this image threat you can see a list of machines vulnerable to this threat and whether this threat is mitigated across all your workstations I will go now to the threat and vulnerability management section which helps you detect and assess threats across endpoints for example I can see many areas of improvement in my environment these areas are listed here such as the application the OS Network accounts and security controls if we take the operating system area of improvement for example we can see our score is 41 out of 183 which means I can do better by following Microsoft recommendations let me click on the operating system improvement area and learn more how I can raise my configuration score here I get list of security recommendations like this one right here and I get information about the security recommendation and how to harden my workstations along with list of machines who don't comply which I believe is a great insight that helps you quickly fix this on the list of machines here instead of just going to every machine and trying to solve the problem if we go to the security controls improvement area you can see also a couple of recommendations like enabling smart screen some firewall rules configuration recommendations and enabling pet Locker on Windows machines again for each one of these recommendations you get the list of machines that don't comply now your objective would be to raise your overall configuration score by hardening pure machines from emerging threats and following Microsoft recommendations another area I want to talk about is advanced hunting which is a super powerful tool during your investigations here you can get the schema for information collected my one true soft defender ATP and this helps you build your own queries but don't worry you have some ready queries for you made by Microsoft engineers like searching for heading PowerShell windows across all your workstations here you can see the query language which is quite simple and down you can see we have one machine called demo 3 that Microsoft Defender ATP agent observed the creation of hidden powershell windows this can be a suspicious activity that worth investigating you can also query for all internet downloads across all your machines and here we have this machine and this machine downloaded Adobe Reader from the internet using a browser now this become handy if for example you are investigating an infected machine and you want to filter this output to see what this machine downloaded from the internet during an attack finally remember that attacks happen usually using the context of a compromised user so if you suspect that an attacker stole the credential for a certain user and use that credential to perform pass the hash to move to other machines you can switch your investigation from focusing on the workstation to tracking identities and what they are doing across machines and identity tracking allows you to track lateral movement inside your environment so I can search for a user called master and ask Microsoft Defender ATP to return all his activities across all machines so here we have the user logging on to two machines and we can zoom in and see what activities or others are associated with this user on a certain machine which is so powerful now Microsoft has a great solution called as your advanced threat protection or as your ATP that can integrate with Microsoft Defender ATP and fill the gap when it comes to detecting anomalies using compromised credentials I highly recommend that you have a look to add your advanced threat protection and enable the integration between the two products I'm going to leave you with some resources to learn more about Microsoft defender ATP to help you detect attacks while they are happening in your environment if you work in the security field you most likely know what is incident response you have a security incident which is a result of attack or malicious or intentional actions and part of your role is to respond to security incidents when they happen now an effective incident response management is handled in several steps or phases you have detect response mitigate report recovery remediation and lessons learned phase which feeds back to the detect phase again to improve your detection and response let's now see how Microsoft Defender ATP features are mapped to different phases of your incident response management in order to respond to an incident you need to detect it first so Microsoft Defender ATP alerts help you detect incidents when they happen on your machines after detecting and verifying an incident by analyzing the alert in Microsoft Defender ATP management portal and depending on the severity of the incident you might activate your incident response team to help investigating the incident assessing the damage and in very mediation and collecting evidence in the response phase Microsoft Defender ATP consolidate related alerts into an incident so any set of dealing with dozens or hundreds of alerts Microsoft Defender ATP will automatically group related alerts and create an incident for you you can assign the incident to individuals and you can change the status of incidents in the portal this gives your security team or your Incident Response Team a focused view on what needs attention inside the incident they can see all machines involved in that incident all alerts evidences and a nice visual graph to help your team in their investigation now in the response phase also your forensic team or Incident Response Team might need to collect more information about the machine like what services are running on that machine list of applications installed auto run configuration and more here you can use Microsoft Defender ATP collect investigation package to help you collect such information right from within the management portal and without even touching the infected machine next we have the mitigation phase and let me be clear on what this phase means mitigation and incident response management attempts to contain an incident because one of the primary goals of effective Incident Response is to limit the effect or scope of an incident this can be for example disconnecting the network interface to prevent the malware from spreading or prevent the attacker from leaking data outside now in this phase it might be important not to turn off the infected machine when containing an incident as doing so means you are going to lose the temporary files and data stored in memory or it might be you want to study and learn what the attacker is doing on that machine without letting him know you discovered the attack now Microsoft Defender ATP offers two great mitigation features first we have the app restriction feature which restricts the machine from running any software not signed from Microsoft and the isolate machine feature which is exactly like disconnecting the network card of the machine but with allowing that machine to communicate with Microsoft Defender ATP service so that you can monitor what's happening with that machine meanwhile after you mitigate the incident you should report the incident within your organization and perhaps individuals outside the organization this might be to comply with laws and regulations and you can use Microsoft Defender reports to help you in that after you mitigate and report the incident and after collecting all evidences from that system the next step is to recover the system or return it to a fully functional State from the Microsoft Defender ATP management portal you can start an anti-virus scan on the infected machine you can quarantine a file or this might be happening automatically for you by Microsoft Defender ATP thanks to the new automated investigation feature and the recent acquisition of a company called hexa diene now recovery might also mean rebuilding the whole machine from any image depending on the nature of the attack in the remediation stage you attempt to identify what allowed the incident to occur and then implement methods to prevent it from happening again this includes performing root-cause analysis here is where things get interesting as Microsoft Defender ATP offers many things to help you identify what happened across all your machines you already have the investigation package you collected earlier which is a great source of information to learn about open network connections SMP sessions local groups process lists and more information from the infected machine you can also use the Machine Timeline feature in the Microsoft Defender ATP management portal to reproduce all events happened on that machine during the attack and you can even go back in time and see what happened on that machine this includes learning about what each process is doing what network connections were opened and by which executables you can also use Microsoft Defender ATP advanced hunting and write your own queries or use the built-in queries available for you in the management portal that allows you to hunt for possible threats across your organization using a powerful search and query language and finally you have the lessons learned phase here you are trying to prevent this incident from happening again and review your all security posture Microsoft Defender ATP offers a lot of capabilities that can help you harden your environment by following security recommendations letting by Microsoft engineers the secure score expands your visibility into the overall security posture of your organization from this dashboard you will be able to quickly assess the security posture of all your machines threat analytics is a set of interactive reports published by Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified the reports help you assess the impact of threats in your environment and provides recommended actions to contain increase the organization resilience and prevent specific threats and you have that thread ability and management capability in Microsoft Defender ATP which helps you detect and assess threats across your endpoints by now you know how Microsoft Defender ATP helps you in your incident response management and in hardening your environment by following security and configuration recommendations my Microsoft let's not forget the role of automation and machine learning that can significantly reduce the work you should do in responding to incidents now that you know what is the cyber kill chain and the pre preach defensive approach which can be by implementing Microsoft Defender ATP I'm going to talk about the post breach defensive strategy which is how to detect attacks after they happened now two things to mention here first if you are going to follow security practices like defense-in-depth you don't want all your security controls to be focused on preventing malware from installing on your machines as sometimes malware can actually get installed undetected even if you have dozens of security controls at the endpoint itself you want to assume the worst scenario that is a malware is already installed and an attack is actually happening inside your environment here where the post breach defensive controls might become handy to be able to do that we need to use the machine learning and anomaly detection as we are going to see now the next wave of applying machine learning and AI in your security defensive strategy is by trying to detect attacks after they happen that is if your endpoint detection technique fails to stop an attack how can you know there is an attack happening inside your network this is where another form of machine learning is applied that relies on anomaly detection or unsupervised learning and this is simply the Machine layers what's normal and when something is outside of that norm occurs it does not label it good or bad but still it's a great compliment to pull into a supervised approach to find something that perhaps a normal researcher wouldn't find or an anti-virus for that fails to detect and normally detects usually happens after the attack compromises a machine and start moving inside your network perhaps to find more valuable assets now Microsoft answer to this area is by implementing the agile advanced threat protection or agile ATP which was formerly known as advanced threat analytics or ata let me try to help you visualize how anomaly detection can help you detect an attack after it happens suppose we have shown a new hire who is a security expert and his job is to monitor your environment for attacks the first thing shown would do is to learn about your environment his thoughts by learning about all the machines in the network what operating systems they are running for example and he would also learn about all users and groups in your network especially who is member of highly privileged groups like the domain admin and schema admin groups now that John knows about every machine every user and every group in the environment John will start learning about the behavior of users for each user in the environment John would creates a behavioral profile in this pre Haverhill profile John will analyze which machines each user is normally using what are the login hours for each user which users are sensitive for each user John with also learn who are his peers and who that user works with and finally what resources each user normally access now let us replace John with Azure advanced threat protection which is an agent that you install on each and every domain controller in your environment suppose we have Alice who works in the HR department and remember that as your ATP knows everything about Alice already her working hours the machine or machines she normally used and what resources she usually access now if as your ATP detects that Alice is logging from the CFO machine as your ATP will immediately and anomaly and reason alludes to the security team because that might mean that an attacker compromises her machine and credential and using some techniques like pasty hash to move to the CFO machine which Alice normally want to do the same thing will happen if Azure detects that Alice is trying to access the finance file share which is an anomaly as a sure ATP knows through its learning fees that Alice normally does not access the finance share our ATP is a great tool to have in your environment at in complements other security measures and controls that you already have other ATV agents start by collecting clocks from your domain controllers and other resources then the analyze and learn phase kick off and this is when other ATP agents learn about the environment the third phase is when detection happened due to an anomaly in which case you will get alerted and provided with a comprehensive dashboard to track what is happening the final stage is integration this is where as your ATP integrates with Microsoft Defender ATP so that we can have identity based protection with Azure ATP and machine or end point based protection with Microsoft ATP when it comes to decipher kill chain you can see that either ATP fits in the post peach area trying to detect anomalies and lateral movement inside your environment by using machine learning to study and learn the behavior of users and resources they are accessing I'm gonna leave you with some resources to learn more about Microsoft defender ATP and agile ATP so that we can consider implementing both in your environment to help you detect attacks while they are happening and after they happened in this presentation we talked about service account in Windows and how things can go wrong with service account please have a look at managed service accounts and remember not to run any service under the domain admin account we also talked about pass rehash attacks and how it can be used by attackers to move inside your network after gaining access to the hash of your users password always make sure you don't have the same local admin password across your machines and remember you can always use Microsoft local admin password solution to automate this shop we then talked about the cyber killed chain and how you can use machine learning defensive for your pre pre and post breach phases of the attack as your ATP and Microsoft Defender ATP can be used to help you detect attacks as they happen and after that finally I will leave you with great resources I put together that I highly recommend you look at you can find my blog series on how agile ATP works and how to deploy it in your environment and you can also look at my secure the modern workplace with different ATP products from Microsoft including 1/3 ATP product from Microsoft called office 365 ATP I want to thank everyone who attended my session at beside Herman conference this year and all the people who are watching this video right now remember also that you can view my slides at SlideShare and you can follow me on SlideShare so you can access all my previous and future presentations if you want to watch more videos about cloud and cybersecurity you can always subscribe to my youtube channel listed here I would also appreciate if you give me some feedback and thoughts about this session either by leaving a comment on this video or sending me a message directly using one of my social media accounts I hope you enjoyed watching my session so thank you again and wait for my next videos [Music] [Music]

Info

Channel: Ammar Hasayen

Views: 1,553

Rating: undefined out of 5

Keywords: BSides, BSides Amman, BSidesAmman, Security, Cybersecurity, Machine Learning, AI, AI Cybersecurity, Windows, Windows 10, Azure, Azure ATP, AzureATP, Windows ATP, Windows Defender, Windows Defender ATP, Webinar, Conference, Speaker, Defense in depth, Anomaly Detection, Hack, Hacker, Hacking, Azure Security, Microsoft ATP, Microsoft Defender ATP, Antimalware

Id: FJhVoXwoX_w

Channel Id: undefined

Length: 87min 4sec (5224 seconds)

Published: Fri May 17 2019