![Page 1: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/1.jpg)
Crouching Admin, Hidden HackerTechniques for Hiding and Detecting Traces
Paula JanuszkiewiczPenetration Tester, MVP: Enterprise Security, MCTiDesign - CQURE: [email protected]
![Page 2: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/2.jpg)
Agenda
Accountability Idea Hiding & Detecting
1 2 3 4
Delivery & Launch Summary
![Page 3: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/3.jpg)
Operating System Accountability
The above means that every step leaves some trace!
Windows 7 is designed to be used securelyAchieved Evaluation Assurance Level (EAL) 4+ certification that meets Federal Information Processing Standard (FIPS) #140-2Has C2 certification (Trusted Computer System Evaluation Criteria)Passed the Common Criteria Certification process
![Page 4: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/4.jpg)
Agenda
Accountability Idea Hiding & Detecting
1 2 3 4
Delivery & Launch Summary
![Page 5: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/5.jpg)
Operating System Logging Mechanisms
http://www.clearci.com
Event LogExtendableSupported by API
Plain text files (.log)
Kernel traces
Notifications
SQL (ODBC)
Application related
![Page 6: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/6.jpg)
demo
http://stderr.pl/cqure/tools.zip
![Page 7: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/7.jpg)
demo
Logs Less & More Advanced
![Page 8: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/8.jpg)
Hacker’s Delivery
htt
p:/
/ww
w.b
atw
inas.
com
Binaries are deliveredWith files from the InternetOn the removable mediaThrough LANThrough offline accessBy manipulating legitimate filesUsing vulnerabilitiesBuffer overflows
![Page 9: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/9.jpg)
demo
Replacing Files
![Page 10: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/10.jpg)
demo
"Vulnerabilities"
![Page 11: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/11.jpg)
demo
Services & ACLs
![Page 12: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/12.jpg)
Launching Evil Code
Cheating administrator
Using automated waysExplorerServicesDriversDLLs
Replacing files
Path manipulation
Injecting code
Hooking calls
![Page 13: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/13.jpg)
demo
Services (In)Security
![Page 14: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/14.jpg)
demo
From A to Z - DLLs
![Page 15: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/15.jpg)
demo
Stuxnet Drivers
![Page 16: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/16.jpg)
Areas of Focus
Problem: Too much information to control
Solution: Select areas with high probability of infection
DLLsServicesExecutablesDrivers
This attitude works as a first step
![Page 17: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/17.jpg)
Agenda
Accountability Idea Hiding & Detecting
1 2 3 4
Delivery & Launch Summary
![Page 18: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/18.jpg)
Dirty Games: Protection Mechanisms
Introduced in Windows VistaPart of Digital Rights Management
Protection is provided in two waysExtension to the EPROCESS structureSigning policy
ProtectedProcess bit
![Page 19: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/19.jpg)
demo
Protected Processes
![Page 20: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/20.jpg)
Dirty Games: Hiding Mechanisms
Bypassing neighbored process objects
Pointing the pointernt!_eprocess ActiveProcessLinks manipulation
Does not affect software operation
Threads are still visible
![Page 21: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/21.jpg)
demo
Hidden Processes
![Page 22: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/22.jpg)
Dirty Games: Hooks
http://www.lukechueh.com/
Allow to run our code instead of the system codeWork on running code
Allow to intercept API CallsDoes not require special privileges
Useful for developers… and for the ‘bad guys & girls’
![Page 23: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/23.jpg)
demo
Hooking
![Page 24: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/24.jpg)
3 of 10 Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
![Page 25: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/25.jpg)
demo
Passwords In Operating System
![Page 26: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/26.jpg)
Agenda
Accountability Idea Hiding & Detecting
1 2 3 4
Delivery & Launch Summary
![Page 27: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/27.jpg)
Summary
Learn how to detect malicious situationsKnow your system when it is safe – you need a baseline
If you detect a successful attack – do not try to fight
Report the issueFormat your drive
Estimate the range of the attackKnow how to recover your data, when necessary
![Page 28: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/28.jpg)
Related Content
Breakout Sessions (SIA203, SIA311, SIA304, SIA307)
Find Me Later At TLC
![Page 29: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/29.jpg)
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
![Page 30: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/30.jpg)
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
![Page 31: Crouching Admin, Hidden Hacker Techniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign](https://reader030.vdocuments.us/reader030/viewer/2022032722/56649f4a5503460f94c6c5b2/html5/thumbnails/31.jpg)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be
a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.