Expert Webinar: Hacking Your Windows IT Environment

Presenters:

Liam Cleary

Microsoft MVP, Blogger

www.helloitsliam.com

@helloitsliam

helloitsliam@protonmail.com

Jeff Melnick

Pre-Sales Director, Netwrix

Jeff.Melnick@netwrix.com

Type your question

here

Click “Send”

Housekeeping

• All attendees are on mute

• Ask your questions!

• Questions will be answered during the session or at the Q&A at the end

• You will receive a copy of slides and webinar recording in the follow-up email

• Duration: Up to 60 minutes

• We hope you enjoy!

Win one of three $100 Amazon eGift Card

We will randomly draw 3 people’s names at the end of the Webinar

You must be present at the end of the webinar to be eligible

We will contact all winners after the webinar

Ask your questions and be active! $100

Protection

Patch management

General protections

Attacks

Understanding attacks

Attack methods

Exploitation process

Agenda

Monitoring

General approaches

Netwrix Auditor

Understanding Attacks

ExploitVulnerability Threat

Understanding Attacks

Vulnerabilities are entry points into an application or even hardware that allow usage in a way that it was not intended. Attackers can use the vulnerabilities for gleaning information

about the current security defenses in place. With vulnerabilities, hackers are typically attempting to solve a puzzle about what they can get away with before they attack

ExploitVulnerability Threat

Understanding Attacks

An exploit is normally some kind of package that understands an known vulnerability and executes arbitrary code or processes. Exploits can take place behind firewalls where they're

harder to spot, and can cause irreparable damage when gone undetected.

ExploitVulnerability Threat

Understanding Attacks

A threat refers to the hypothetical event wherein a hacker uses a vulnerability. The threat itself will normally have an exploit involved, as well as other processes and tools.

Post exploitation and reporting

Intelligence gathering Vulnerability analysis Exploitation

Attack Rules of Engagement

Cross-site Scripting

Man-in-the-middle

Phishing SQL Injection

Session Hijacking Credential Reuse

Types of Attacks

Malware

Denial-of-service

Authentication test

Database attack

Test manual access Brute force web access

Web service scanning Remote desktop test

Application Specific Attack Methods

sessions

Users

Client side controls Authentication

Back end components Web applications

Client Side Application Attacks

The Attack Process

Scan devices

Active directory attack

Scan firewall Scan IP ranges

Specific application attacks

Database attack

The Attack Process

Inverse MappingExclude devices and servers, that don’t

respond

Ping SweepsSend ICMP/TCP packets to return “Active” devices

and servers

Port ScansProtocol specific

interrogation of devices and servers

Scanning

Network Server Scanning

ICMP/TCP

PORTS

Network Device Scanning

ICMP/TCP

PORTS

Nmap port scan

PowerSploit

Ping sweeps AngryIP scanner

Metasploit Manual

Network, Port and Service Scanning

Exploitation Process

Create Payload

Select Module Framework

Identify Vulnerability Identify Exploit

Generate Code Create Listener

Exploitation Steps

Remote Shell

Remote Web Backdoor Opened

Remote Access Exploit Save & Executed

Remote Command Execution

Weapon Delivery

Exploitation Steps

Pivoting

• Access direct to target / no access beyond target

• Utilize target to proxy requests

192.168.153.X/24 192.168.111.X/24

Meterpreter Scan

run get_local_subnet

Return 192.168.111.X/24

Proxy

Pivoting Commands

# Get local subnets on target

run get_local_subnet

background

# Add route to send subnet traffic over current session

Route add 192.168.153.0 255.255.255.0 1

# Use Meterpreter routing to Pivot Traffic

ifconfig

run arp_scanner -r 192.168.111.0/24

Port Forwarding

• Forward traffic to target, then forward to none visible targets

• Attacker uses local port

• Target forwards request on chosen port

192.168.153.X/24 192.168.111.X/24

Relay Remote Port 3389Local Port 3389

Port Forwarding Commands

# Forward Ports between Local Machine and Target

portfwd add -l 3389 -p 3389 -r 192.168.111.130

portfwd list

# Remote Desktop locally

rdesktop 192.168.111.130

Token Stealing and Impersonation

• Incognito used to retrieve current Tokens

• Impersonate using a retrieved Token

192.168.153.X/24 192.168.111.X/24

Relay

Pivoting Commands

# Grab the current Process List

ps

# Steal Tokens

steal_token 380

# Use Incognito

load incognito

# List Current Tokens, then elevate account permissions

list_tokens -u

impersonate_token DOMAIN\user

Protecting the Environment

Monthly RollupStandard full roll-up for

ALL released patches

Global PatchCritical operating system

updates

Limited Release Patch“From the field” patches,

covers specific issues

Patching your windows environments

Patching your windows environments

PatchOnly install patches that match current level

If patch resolves current issueIf patch is a security update

Don’t PatchUnless current service pack, don’t deployMultiple hotfixes versus Latest released

serviceInconsistency across servers

General Server Protection

Inspect ALL Traffic

Access Control Traffic

Monitor

Application Firewall

Perimeter

Firewall

Operating System

Firewall

General Device Protection

Inspect ALL Traffic

Access Control Traffic

Monitor

Device

Firewall

PerimeterFirewall

Block Ports

Infrastructure Protection

Inspect ALL Traffic

Access Control Traffic

Monitor

Application Firewall

Perimeter

Firewall

Operating System

Firewall

Server Isolation

Port Control

Process Whitelisting

Allowed Executables

Allowed

Scripts

Allowed

Paths

Blocked

Executables

Blocked

Scripts

Blocked

Paths

Escalation Protection

Additional logging

Isolation/scoping of privileges Step-up and proof-up

Customizable workflow

Privileged Access Management (PAM)

Privileged Access Management (PAM)

Corporate Domain Bastion Domain

Trust

Shadow Principal SID Mapped between identities

CORP\group BASTION\group

Approval of AccessRequest Access Permissions Assigned

Time restricted access granted

Privileged Access Management (PAM)

Privileged Access Workstations (PAW)

Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.

Tier 0 Tier 1 Tier 2

Privileged Access Workstations (PAW)

Admin Workstation

Admin Workstation

Admin Workstation Active Directory

Servers

Workstations

Tier 0

Tier 1

Tier 2

Forest / Domain Admins

Server Admins

Workstation Admins

Same Tier Login

Higher Tier Login

Lower Tier Login

Monitoring

Audit LoggingSecurity Event Logging Firewall Logs

Monitoring approaches

Non-active accounts

External accounts

High-value accounts

Anomalies or malicious

actions

Account whitelist

Different account types

Monitoring categories

Restricted use accounts/devices

Account naming conventions

Alerts example

# Filter the Security Event log for specific event

Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720} | Select TimeCreated,@{n=”Account Creator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”User Account”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name –eq “SamAccountName”}| %{$_.’#text’}}}

# Send event details as email

$Subject = “User account created”

$Server = “your.smtp.server”

$From = “From@domain.com

$To = “To@domain.com”

$Pwd = ConvertTo-SecureString “password” -AsPlainText -Force #Sender account password $Cred = New-Object System.Management.Automation.PSCredential(“accountname” , $Pwd)

$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display

$Body=Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720} | Select TimeCreated,@{n=”Account creator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”User Account”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SamAccountName”}| %{$_.’#text’}}} | select-object -first 1

Send-MailMessage -From $From -To $To -SmtpServer $Server -Body “$Body” -Subject $Subject -Credential $Cred -Encoding $encoding

Netwrix Auditor - Demonstration

Demonstration

Netwrix Auditor

Netwrix Auditor Applications

Netwrix Auditor for Active Directory

Netwrix Auditor for Windows File Servers

Netwrix Auditor for Oracle Database

Netwrix Auditor for Azure AD

Netwrix Auditor for EMC

Netwrix Auditor for SQL Server

Netwrix Auditor for Exchange

Netwrix Auditor for NetApp

Netwrix Auditor for Windows Server

Netwrix Auditor for Office 365

Netwrix Auditor for SharePoint

Netwrix Auditor for VMware

GA

Financial

Healthcare & Pharmaceutical

Federal, State, Local, Government

Industrial/Technology/Other

Netwrix Customers

All awards: www.netwrix.com/awards

Industry Awards and Recognition

Next Steps

Free Trial: setup in your own test environment:

On-premises: netwrix.com/freetrial

Virtual: netwrix.com/go/appliance

Cloud: netwrix.com/go/cloud

Test Drive: run a virtual POС in a Netwrix-hosted test lab netwrix.com/testdrive

Webinars: join our upcoming webinars and watch the recorded sessions netwrix.com/webinars

Come see us at MS Ignite!

September 25th-29th, Booth #1825

Thank you

Contact us:

Liam Cleary

Microsoft MVP, Blogger

www.helloitsliam.com

@helloitsliam

helloitsliam@protonmail.com

Jeff Melnick

Pre-Sales Director, Netwrix

Jeff.Melnick@netwrix.com