7/23/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Hacker Tools to Protect Windows Clients WIN-B327 Erdal Ozkaya Raymond Comvalius
Warning! This Presentation Contains Occasional Bad Language & Subject Matter that some May find Disturbing and some information which you should not use in live environments without permissions.
Erdal Ozkaya www.ErdalOzkaya.com 7/23/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Raymond Comvalius www.nextxpert.com @NEXTXPERT 7/23/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Improvements that Microsoft has made in the Windows platforms have driven BAD GUYS to new tactics.
Those who realize they’ve been hacked. There are two types of organizations. Those who haven’t yet realized they’ve been hacked.
Moving forward, there will be two types of organizations
Those who adapt to the modern threat environment.
Those who don’t.
Attackers have set their sights on identity theft and they’re breaking into systems as you!
~75% of users use the same password on every web site Banking Small Online Business Attackers steal passwords from small online businesses and use the same password to access more interesting accounts ~75% of users use the same password on every web site (Robert Siciliano Security Researcher - McAfee) Attackers know this and exploit the weakness Small Online Business Small Online Business Small Online Business
Personal information about you can almost certainly be found there! There is a prolific and easily accessible black market, that facilitates the buying and selling of identities, credit cards, etc. Personal information about you can almost certainly be found there!
One upon a time… Servers were the main targets, 7/23/2018 One upon a time… Servers were the main targets, but today this has changed… © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
The new trend Client Side Attacks Web Browsers E-mail clients Instant messaging Streaming multimedia players FTP clients Web enabled applications and services Social engineering TBA !!! (zero day)
Why are client-side attacks successful? Lack of effective defenses Misbehavior assuming to be protected Assuming to be UP TO DATE Lack of common sense or good judgment Again Hacked
Vulnerabilities that lead to client-side attacks User ignorance Poor defenses Malicious HTTP requests Lack of maintenance
Demo How are you tricked into this?
Implement Defense in Depth
The most secure environments follow the “least privilege” principle Did you know ? The most secure environments follow the “least privilege” principle
OS Mitigations
7/23/2018 Privilege escalation Elevating standard user to admin requires an exploitable bug User Account Control will NOT save you from elevation User Account Control is NOT a security boundary © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
IE Protected Mode Only Internet Zone by default Only with User Account Control enabled iexplore.exe runs with Low Integrity Level User Interface Privilege Isolation (UIPI)
The Universal App Modern App Sandboxed in AppContainer Runs with Restricted Token Runs at Low Integrity Level Can only access its own folder in: %programfiles%\WindowsApps Capabilities defined by the developer Helper Processes can do some common tasks
IE Enhanced Protected Mode Default for Desktop Internet Explorer 32-bits content process default Low Mandatory Label No AppContainer restrictions Default for Modern UI Internet Explorer 64-bits content process default Runs in AppContainer in Windows 8 and higher
Additional Mitigations
Antivirus This was once effective Still recognizes the usual suspects Easy to bypass? “Symantec's senior vice president for information security estimates antivirus now catches just 45% of cyberattacks.” The Wall Street Journal, May 4, 2014
Enhanced Mitigation Experience Toolkit (EMET) Harden legacy applications Verifying SSL certificates trust Utilizes the Application Compatibility Framework Test before you apply EMET!
Demo Protecting Legacy Applications with EMET
Pass the Hash and Pass the Token
Pass The Hash and Pass The Token Steal credentials from memory without the password Use Bing and you can do it too (on Windows 7)
Mitigating Pass the Hash or Pass the Token “Old” Mitigations Don’t get hacked Don’t logon with elevated accounts Restrict connectivity Force a reboot after logging on with an elevated account Never loose sight on your Domain Controllers
Demo Pass the Hash Pass the Token
Mitigating Pass the Hash or Pass the Token New Mitigations in Windows 8.1 and Server 2012 R2 Strengthened LSASS Less credentials in memory Methods to restrict network access for local accounts RDP Restricted Admin Mode Protected Users group in Active Directory
Hacker Tools
Tools used by Hackers & Security Pro’s Kali ( BackTrack) Linux Metasploit NMAP Ophcrack Sysinternals Mimikatz For more information check our blogs
Demo Hacker Tools summary 7/23/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Summary
Your Mitigations Don’t use administrative credentials Use Modern Apps Keep your systems up-to-date Keep using AntiVirus (for low hanging fruit) Test and implement EMET Encrypt your Domain Controllers
Windows 8.1 Security Capabilities Modern Access Control Securing the Sign-In Secure Access to Resources Malware Resistance Securing the Boot Securing the Code and Core Securing the Desktop Protect Sensitive Data Securing Device with Encryption First Class Biometric Experience Multifactor Authentication for BYOD Trustworthy Identities and Devices Single Sign-On to Service Providers Provable PC Health Improved Windows Defender Improved Internet Explorer Improved System Core Hardening Pervasive Device Encryption Selective Wipe of Corp Data Trustworthy Hardware UEFI UEFI Modern Biometric Readers TPM TPM
Windows Resources Windows 10 http://aka.ms/trywin10 7/23/2018 Windows Resources Windows 10 http://aka.ms/trywin10 Stop by the Windows Booth to sign up for the Windows Insider Program to get a FREE Windows 10 T-shirt, whiles supplies last! Windows Springboard windows.com/itpro Windows Enterprise windows.com/enterprise Microsoft Desktop Optimization Package (MDOP) microsoft.com/mdop Desktop Virtualization (DV) microsoft.com/dv Windows To Go microsoft.com/windows/wtg Internet Explorer TechNet http://technet.microsoft.com/ie © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resources Learning TechNet Developer Network 7/23/2018 Resources Sessions on Demand http://channel9.msdn.com/Events/TechEd Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Developer Network http://developer.microsoft.com © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please Complete An Evaluation Form Your input is important! 7/23/2018 Please Complete An Evaluation Form Your input is important! TechEd Mobile app Phone or Tablet QR code TechEd Schedule Builder CommNet station or PC © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Evaluate this session 7/23/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7/23/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.