Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leveraging Visual Basic for Security

Published byKory Burns Modified over 5 years ago

Similar presentations

Presentation on theme: "Leveraging Visual Basic for Security"— Presentation transcript:

1 Leveraging Visual Basic for Security
Poor Man’s IDS

2 Outline History of Poor Man’s IDS Environment What to monitor
Scripts that make up PMIDS A bit of Geek 2/16/2019

3 Who am I AVP of IT at TAPCO Credit Union IT generalist
Worked at financial institutions for last 16 years Developed security programs for Banks and Credit Unions 2/16/2019

4 History 15 years ago I developed the account lockout alert
The idea of leveraging VB scripts for other monitoring started 6 or 7 years ago Has been a pet project During a Trust CC audit used it to catch one of Tom’s techs Dubbed Poor Man’s IDS 2/16/2019

5 Disclaimer Not all inclusive solution All open source
Backs up other layers I am not a VB Scripting expert 2/16/2019

6 My Environment No local admins Right? Separate Domain admin accounts
SMTP server OUs in AD and on workstations Task scheduler 2/16/2019

7 What to monitor Malicious activity Trusted users New accounts
Restricted group membership Brute force hack process 2/16/2019

8 Scripts

9 Pieces Domain admin login Local admin login User lockout alert
New domain account Dormant account Bad password count Domain Admin membership 2/16/2019

10 Layout What are we trying to capture Alert example Configuration
Reaction to alert 2/16/2019

11 Domain admin login 2/16/2019

12 What are we trying to capture
Unauthorized use of privilege account Domain Admin account used to log into a server or workstation Unexpected user added to domain admin group 2/16/2019

13 Alert Example (server)
Sent to domain admin that logged in 2/16/2019

14 Alert Example (server non-admin user )
Sent to default address 2/16/2019

15 Alert Example (workstation)
Sent to address when admin logs into workstation 2/16/2019

16 Configuration Run from OU that houses only domain admin accounts
Added logic to not alert on certain users Section to list addresses of each admin Send an to a default address if no listed for particular account 2/16/2019

17 Reaction User logs into server or workstation with domain admin account An alert is received in their non-admin account If user logged into system no action necessary If not, admin should immediately change password and begin investigation Reboot remote system to kick user off 2/16/2019

18 local admin login 2/16/2019

19 What are we trying to capture
Unexpected / unknown user in local admin user group Helps us find the outliers that have not been removed from local admin group Identifies any accounts added to local admin user group 2/16/2019

20 Alert Example 2/16/2019

21 Configuration Run from local GPO
Local GPO created by copying files to each workstation Local policies stored in C:\windows\system32\grouppolicy Has logic to disable for certain workstations and user names sent to group 2/16/2019

22 Reaction If it is not a normal system the user logs into lock the account and contact user We use to find those users not previously removed from local admin group Reminds us in the event one of us put the user in local admin group to troubleshoot 2/16/2019

23 User lockout alert 2/16/2019

24 What are we trying to capture
Invalid login attempts Alerted after account is locked out Brute force attacks Track lockouts / unlocks 2/16/2019

25 Alert Example 2/16/2019

26 Configuration Installed on domain controller
Scheduled using task scheduler Runs every 2 minutes Keeps log Send only one alert 2/16/2019

27 Reaction Creates helpdesk ticket
Internal procedure requires us to contact the user Unlock account 2/16/2019

28 New domain account 2/16/2019

29 What are we trying to capture
Know when new account is created Knowledge of unauthorized account creation We attach alerts to help desk tickets 2/16/2019

30 Alert Example 2/16/2019

31 Configuration Runs on domain controller Scheduled using task scheduler
Runs every 5 minutes 2/16/2019

32 Reaction Change control policy requires approval for all new accounts
Unauthorized accounts are deleted Alert contains who created account 2/16/2019

33 Dormant account 2/16/2019

34 What are we trying to capture
Identify “lingering” accounts Not logged into for 90 days Non-service accounts that have gone dormant 2/16/2019

35 Alert Example Text file contents 2/16/2019

36 Configuration Runs on domain controller Scheduled using task scheduler
Runs on 1st of every month 2/16/2019

37 Reaction Reviewed monthly Automatically creates help desk ticket
Lingering accounts investigated and appropriate action taken 2/16/2019

38 Bad password count 2/16/2019

39 What are we trying to capture
Brute force password guessing Multiple accounts with 2 bad password count Automated password guessing would hit multiple accounts in very short time 2/16/2019

40 Alert Example 2/16/2019

41 Configuration Issues Runs on domain controller
Bad password count not replicated across DCs Child OUs not parsed through Runs on domain controller Scheduled using task scheduler 2/16/2019

42 Reaction Admins would begin investigation
Highten network monitoring level to find source Implement incident response program 2/16/2019

43 Geek out time Connecting to Active Directory 2/16/2019

44 Geek out time Looping through items in list Testing/verifications
' Bind to the local group. Set objLocalGroup = GetObject("WinNT://"& strComputerName &"/Administrators,group") ' Enumerate direct members of the local group. For Each objMember In objLocalGroup.Members 'check if logged on user is member of local Administrator group if objMember.Name = strUserName Then sendmsg=1 SendAlert End If Next Looping through items in list Testing/verifications Limitations Batch file hand offs 2/16/2019

45 Geek out time Connecting to Active Directory Testing/verifications
2/16/2019

46 Geek out time Looping through items in list Testing/verifications
msgbox(objMember.name) Looping through items in list Testing/verifications 2/16/2019

47 Geek out time Connecting to Active Directory Testing/verifications
Sending alert 2/16/2019

48 Geek out time Looping through items in list Testing/verifications
Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Domain Admin Workstation login" objMessage.Sender = emlsender ' Sender address objMessage.to = emlrecip objMessage.cc = emlrecipcc 'objMessage.addattachment Attachment objmessage.Textbody = msg objMessage.Configuration.Fields.Item (" = 2 'Name or IP of Remote SMTP Server objMessage.Configuration.Fields.Item (" = emlsrvr 'Server port (typically 25) objMessage.Configuration.Fields.Item (" = 25 objMessage.Configuration.Fields.Update objMessage.Send Looping through items in list Testing/verifications 2/16/2019

49 Geek out time Connecting to Active Directory Testing/verifications
Sending alert Batch file hand offs Run as domain admin Limitations 2/16/2019

50 Conclusion Network security should be multi layered
VB scripting is extremely powerful Many examples are available on the Internet 2/16/2019

51 Questions? John Eyre MCITP, CCNA, VCP, MCSE AVP of IT
2/16/2019 Insert Footer

Download ppt "Leveraging Visual Basic for Security"

Similar presentations

AD User Import From SIMS.NET

AD User Import From SIMS.NET
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
ManageEngine ADAudit Plus A detailed walkthrough.

ManageEngine ADAudit Plus A detailed walkthrough.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.

Similar presentations

Ads by Google