Security BSides Amman 2019 - Advanced Windows Attacks & Defensive Techniques

Show video

Welcome. I was, honored to be talking at the fifth security, beside, conference, in Jordan it was, also great meeting, with all the security professionals. Under one roof and engaging, in great conversations. I want. To thank everyone, who attended my session, and upon, the request I'm recording. My session and we'll make it available for everyone my. Session is called advanced. Windows threats and defensive. Techniques, if. You, really want to see how the bad guys can bypass your, security controls, and hack, into your network then. You are in the right place but, don't worry I will teach you how to be prepared and share, with you best practices, on how to protect your network, it. Is going to be a level 400. Session with a lot of demos I am, also uploading, the presentation, to SlideShare, so, you can view the slides anytime. Now. Let me introduce myself, my. Name is Ahmad Hasan am, certified, information systems. Security professional and, a, Microsoft, MVP I love. Sharing knowledge so you can see me author security, courses, at pura site one, of the biggest and most respectful. Online training platforms, today I also. Love writing about things I find interesting and, recently. I authored, a book called. Cloud, migration where, I talk about the cloud reference, architecture, and cloud, security. Talking. And beside hermanas, a remarkable. Experience, for me and it's, not just this conference, I traveled, the world and talk in other international. Conferences, in the United States Europe. And the Middle East the last, couple of conferences, I talked in where, the Microsoft, ignite in Orlando, Florida and the, modern workplace conference. In Paris if. You want to learn more about my community, work and speaking, events, feel, free to check the links in this slide and, it would be great if we connect, on social media so I can get your feedback on this presentation today. We are going to do a lot of hacking I will, start by hacking the windows services, specifically. I will show you how attackers, can stop the antivirus, service on your Windows machine to, evade detection, I will. Then hack Windows services, running, under the dome in admin, account and show you how to steal, the domain admin passwords, in clear-text then. We will work on Windows memory and we will try to hack into that dark protected. Area, in memory, where, all password, hashes, are stored, we. Will use these hashes to impersonate, the local admin account on a machine and then use pass the hash technique, to move to other machines using stolen hashes. After. That I'm going to show you the, cipher, killed, chain, and how, you can use it to plan your security, controls, mainly. I'm going to show you the pre preached side, of the cyber kill chain and how, to use Microsoft, Defender, ATP, or advanced, threat protection to. Detect and prevent attacks, from happening and then, I'm going to jump to the post preach side and show, you how a I and machine learning can, help you detect anomalies and, detect. Lateral, movement, and here. I'm going to show you how a sure ATP can, help an anomaly, detection, in. This. Demo I will show you how to stop the antivirus, service which, should not be an easy thing to do as these services, are usually harden in a way that you cannot just go and stop them, after.

The Demo I will share with you links, to tools and some reference articles, so, that you can try to hack, the antivirus, service yourself, isn't. That great, if, you watch movies where someone is trying to break into a secure location. The first thing you try to do is to kill the alarms, or to get the security, Doc's to sleep this, is how the thief can work freely, inside the secure location, without being detected in, the, computer, world things, are not different as well the, first thing you want to do as an attacker is to kill the alarm which is the antivirus, software, so, that you can download more, tools from the internet and perhaps steal. Valuable information, without, being detected, now. We all know that the antivirus, service is hardened, in a way that, you cannot just stop, it even, if you are the local admin on the machine but. Believe me when I say there, are other ways to do that if you, don't believe me let me show you in this demo how to stop, the, antivirus. Service in your Windows machine. I am. Now at my demo machine and I will quickly open the services, management console, you, can see a service, called dummy, service, and, this can be your antivirus service, like McAfee, or Symantec, you can also see, I cannot start or stop the service as it is hardened, in a way that prevents any such interactions, which, is how we expect, a good antivirus, service to behave let. Me open a command prompt, and you can see I am at the admin on this machine and even, the local admin, cannot stop the dummy service, now. Let me use a tool, called PS. Exec, which, is written by the famous mark, russinovich the. CTO of azure currently, I'm going. To use the -. S -, I and -, D switches, to, impersonate the local, system account, now. I'm running the command prompt, using, the local system account which. Is the most powerful account, and windows and in, theory it can do anything now if, the local system, tries to stop the deme service you, can see I get an access, denied so, even the local system cannot stop the antivirus, service so, let me quickly clean, the command prompt screen and talk about the security, descriptor. Definition. Language, or s. DD. And language. Using. This language I can, list the permission, of any Windows service, using this command. SC. Which stands, for service. Control, and then, s the show and the, name of the service don't. Worry if you don't understand, what this means at first because, I'm going to help you figure this out this. Is the s DD a language, and it is so easy to understand. Once you know how to read it now. D stands. For this section area access control, a, stands. For allow permission. The. Next long string, is list, of rights or things you can do to the service and then. We have the security principle, in this, case BU, stands, for built, end users, sy. Stands. For system account, and ba, stands, for the belt and at, traitor, now. To understand, this long string, that represents the. Rights and privileges a security. Principal has to a service, I have, listed couple, of them for clarification. Purposes for. Example the built an administrator, has, the RC, right which stands for read. Permission. So, built-in, admins can read the permission, of the service, CR. Stands, for reading, extended, rights and ll stands for reading, objects, what. Is missing though as the WP. Right which, stands for write property. This, is what we need in order to start and stop services now. Let us search for our windows service, that, my user can start and stop like, the, workstation. Service for example you. Can see I have the permission, to start and stop the service, so, let me quickly copy, the service name and go, back and view, the SDL, permissions, of the, service, by running the SC, as this show and the, service name here you can see what permissions, that built-in admins, have which includes the WP. Permission. And you, can compare, that with the permissions, given to the built-in admins, on our dummy service, now. I will quickly copy, the sedl permissions.

Of That, dummy service to a notepad so. We can have a closer look. What. I will do next is to copy the rights assigned, to the built and admins, on the workstation service. And replace. It to, the rights assigned, to the built-in admin on the dummy service this. Should do the trick after all, now. I use. The SC, sv, set and the, dummy service name to, construct, my new command, and then, I will paste it to an elevated, command prompt, running under the local service, account you, can see his default command and it shows it is, running successfully. The. Belt and admins, now have. The same rights on dummy, service, that, they, have on, the workstation service. Including, the WP. Right, now. If we go to the services, management console, and search for our dummy, series. You can see I can stop the service now, mission. Accomplished. Throughout. The demo I used many tools and talked about a lot of technologies. So make sure to check these links, for more information, do. You believe me now any Windows. Service can be stopped if you have the admin privileges, so. Here, is my challenge for you go, to your Windows machine and try to locate your antivirus service. In the services, console and verify. That it cannot be stopped from that console you, might have McAfee, Symantec. Or any other product, now. Using. The same techniques, I showed you in the demo try, to stop, the service, finally. Please, share your results of this challenge in the comments below. Now. That you know how to stop the antivirus. Service let's, now hack some windows service accounts, I will. Talk about the number one finding. In any penetration test. And one of the easiest way for an attacker to compromise. Your whole network it. Is like giving an attacker a priority, pass or the, keys to the kingdom, saving. Him both time, and effort, did. You guess what I'm talking about, it, is the nightmare for, any security professional. To have a Windows service running, under the domain administrator account. In, almost every, organization there, is a service, running under the domain admin, account or at least other highly, privileged, account this. Is usually your backup, service, that needs. To backup all the files including sequel. Databases, exchange. Services, and Active Directory you. Know I work in big organizations and. I always here the backup, team saying, we need to run the backup shop under the domain admin account to backup the Active Directory but. A better way is to run a schedule task in one of you two main controllers, and that, schedule, tasks will be running under the local system and it, invokes, a PowerShell script now. That partial, script will, take a backup of your Active Directory and, copy, the backup files to a remote secure, file share we're, your backup software, can. Then go and take backup, of these files without, the need to expose, you to main admin account, another.

Examples. And scenarios where, the domain admin, is used to run services. Is when you are running security, tools that, connects, to all your workstation. And servers perhaps, the scan for, vulnerabilities. These. Tools usually require, admin, rights on all machines what. Would be the easiest thing to do well. Let's, use the domain admin, account now. A better advice, and, practice, is to, use group policies, and configure. A dedicated, account, to be member of the local admin, group on all machine, and using, that dedicated. Account, for, your security, scanning tool I also see people tending to use the domain admin, account for almost everything. Because, it's easier, that way you don't need to think about what permissions, to give all finding, yourself facing, error messages, related, to insufficient. Rights so, why not to use the domain admin account for everything, now the domain admin, should only be, used when you log into your domain controllers, and troubleshooting. Or doing, some Active. Directory stuff. Nothing. Else now. Let me show you the risk of running a domain admin, under a service, account if an attacker gain access for example to a Windows machine and the, domain admin, account was used to run a Windows service then, in this demo I will show you how easy it is to reveal the password, of the domain admin account any clear text this, is clear text, and not the hash of the password even, believe. Me when I say that the first thing attackers, will do is, to search for services. Running, under the domain admin account and once they find one it's, game over so. Let us dive into the demo and see, how this works from the attacker perspective. I'm. Looking into one of my servers, and let me open the services, console you. Can see I have a service running under the domain admin, account if I, open the service properties, you, can see under the log on tab the, domain admin, is used to run the service indeed which, is a bad thing for your security team and a good thing for an attacker now. The attacker wants to reveal the password, of the domain admin account by, hacking into the service by, using a tool called se. PD, or service. Account, password. Damn, the. Attempt, failed as you can see let. Me try to open a command prompt, using the local system account which, I can easily do by using a famous tool, called PS. Exec written by the famous mark russinovich, the, city of azure, now. I have a command, prompt, and I'm, impersonating. The local system account on, this machine which, is the most powerful account. On this machine now. If I browse to my tools folder and run, the same tool, which is SAPD, or service. Account password, dumper tool and provide, the service name guess. What I can see now you. Are right I can, see the password of the domain admin account in clear-text, not, the password hash the, actual, password in clear-text as you can see here, when. You run a service, under a service, account windows. Stores, the password, in a secure location in, the registry, so that the service can still run if the, machine is disconnected. From the network, mission. Accomplished. You. Can see how easy it is to reveal the password, of service account if you are the administrator on. Windows the. Password, of a service account is stored locally in a secure location in, the registry so that if the machine is offline, or disconnected, from the network the, service can still keep, running, here. Is my challenge for you go. To your Windows machine and try, to locate, one of your services, running. Under a privileged, service account try. To reveal the password, of the service account and share, your result, and feedback, in the comments below I know. That all this sounds, scary and by, now you should, carefully consider, what accounts, used to run your services, as a rule you, should never ever, use, the domain admin, account to run any Windows service, and there, is no exception, whatsoever. For doing this what. About best practices that you should consider when planning your service accounts, the. Best way to handle service, account says to use managed, service, accounts, they, are available, to you since Windows, Server 2008. R2 and the, password, for such accounts, are managed by your domain controllers, there.

Is Also another variation, of, managed service accounts, called Group managed, service accounts that allow you to use the same managed service account across multiple, machines think. Of an i is pool, account, that is shared across many, front-ends, notes, the. Next thing you should consider is, to give service accounts, just, enough, privileges. To carry on their purpose nothing. More and nothing less and remember. Once an attacker hacks, into a machine every, account used on that box should be considered, compromised, including, service accounts, now. During the demo I used, many tools and talked about a lot of technologies. So, make sure to check these links, for more information. It's. Time to steal some password, hashes, and impersonate. Accounts, to move laterally, inside, the network using, pass the hash technique. Attackers. Love passwords. And we ask security, professionals. Hate them for their weaknesses, and end. Users either write them down share, them or use weak passwords, that can be easily guessed, but. Attackers, are not after your password, anymore they, can do the same damage by only knowing your password, hash the. Bad news is that Windows keep all password hashes, in a protected, area in memory if. Attackers. Can hack into that protected, area they, can access password, hashes for every account using. That Windows machine not only your password, you, think this is bad wait till, you learn that attackers, can use these hashes to, connect to remote resources, also using. Pass the hash technique, and this, is how attackers, move inside your network usually undetected. Now, do you want to see all this in action I'm sure, you do so, in this demo I'm going to show you how, to hack into this protected, area in memory and get, access to all these hashes we talked about to. Make this demo more interesting, we're, going to steal the hash of the local administrator. Account, and pass. That, hash to, a nearby Windows. Machine, and gain access to sensitive, information, this, is known as pass, the hash technique, so, let's start our demo, let.

Me Start by opening a, command prompt and verify, what account I'm using and, whether it is a local admin on the machine or not you. Can see that I'm running under, an account, that is member of the local administrator. Group now. Let me quickly clean, the screen and browse to my tools folder and I want to find the tool called mini, cats which. Is the number one forbidden. Tool by Microsoft. And there, is a good reason for that this, tool dumps, password, from memory as well as hashes, now. Let me run the tool and clean, my screen, and I, will start by attaching it, to a debugger by. Typing, privileged. Debug, you. Can see I get an error but, don't worry this is intentional. The, reason is I need to run the command prompt. With elevated, droids so. Let me quickly open, a command prompt, with run as administrator, browse. To my tools, folder, and run, mimikatz, again, now. I will try to type, the same comment, debug. Privilege. And you, can see the common run successfully. Now. This is possible because by, default the local, administrators. Group has, debug, privilege, which, we can quickly verify by. Opening the local group policies, console, browse. To Windows settings security. Settings, user, write management, and then search, for debug. Programs, here. You can see that administrators. Have, the right by default, and you can see that assigning. This right can, be a security, risk now. Let me go back to mini cards and now I will enable logging, so, that any output, generated by this tool will be locked in a text file as you can see here. Now. Here, is where the magic starts I. Will, type, secure. ALS ALS a stand for local security authority so. Secure. Elysee, and then, logon, passwords. Fall. To, dump the hash is stored in, memory for. Every, account who logged onto this machine now, all what you see here in the screen is, a memory, dump of all passwords, in memory, here. Is my user her mod and you. Can see different type, of hashes. For my password stored, in memory and, available, to me using this tool and this, is what allows Windows, to any will single sign-on in the first place so. That I don't need to type my password each, time I access network resources, that's, why Windows stored, password, hashes, in memory. The, most interesting, part is the ntlm, hash of my password, now. Let us try to find another password hashes stored in memory just, for fun and as, you can see there, are a lot of them here. Is an account called, l3. Admin, which is level, 3 admin, it seems, one of the three engineers locked, onto this machine perhaps to solve a problem and we can see the ntlm, hash for this account available for, us let. Me try to open the loop file and search in the loop file just for clarity, and try. To find other password, hashes, specifically. The password, hash for the local admin on this machine which, is called the, master account we. Can see the domain is demo, one which. Is the name of the Machine and this means this is a local, user and here, is the ntlm. Hash of the, master account which is the default local. Administrator. On that machine i will. Copy that hash and open a new notepad, and paste, the hash there for our next step. Later. In this demo we will use this hash to connect to another machine called demo, three using. My account, which is Hammar I don't, have access to connect to a demo 3 machine which, is a nearby, machine, in fact, let me prove it to you very quickly I'm, using PS, exec, to connect to demo 3 and you, can see I don't have admin, rights on that machine, but. If I am lucky enough the. Local admin password, of my machine and demo. 3 machine is the, same password. And since, I have the hash of the local admin password in my notepad, I can, use mimikatz. To, have a functional, command prompt using, the context, of the local admin, just by passing the hash you. Can see the full command I use in mini carts I type. Secure. LSA then. The username as master, the, domain name as localhost, since. This is a local account and the. Ntlm, hash I got earlier, in my notepad, now. You can see I got a new functioning. Command, prompt window let, me put both windows, next, to each others the. Left side window, is running, under my account Hammad, and the, right side window is running under the built-in, admin, account, now. The confusing, part is when we type Who am I on both windows, I would expect, the result to be master. In the, right side window which is the local admin. But don't worry this, is just how things work, with, these tools to. Prove it you remember my account could not connect to the monthly machine as you see here again now. On the right side window, you can see I'm using PS, x'q again to connect to the monthly machine and, the tool is taking, time to, establish a, remote session on day one three using, the master account password, and since, my machine, and demo three machine both, have a local, admin account called, master, with, the same password, this, command, should work and.

Bypassing. The hash I have, now a functional. Command, prompt on a remote, machine. If. I type hostname. On both terminals you, can see on the left side the, hostname is demo, 1 and on, the right side the, host name is demo. 3 I can. Even browse the, file system, on the remote computer, locate. A secret, folder and access. The credit card information data, machine. Accomplished. What. You can learn from the demo is that the debug privilege, is very risky privilege, you, should use group policy to prevent anyone including administrators, to have such fright unless. You have specific, needs, also. Your users, should not be admins, on their machines, they. Should be running under a normal account and perhaps use. Another separate, admin, account as we. Saw in the demo we used the hash of the local admin account to, connect to a remote machine. Because, the, local admin password, is the same across all machines, you. Should always make sure to have different, local admin passwords, across your machines and to, do that you can use the solution, from Microsoft called. Local. Administrator. Password solution. Or labs. In APs. Also. As a best practice you. Should have your admins, working, with two machines one, machine to access email and browse the web and a, separate machine to perform highly, privileged, tasks this. Way if a malware was delivered through the web or email it cannot, do much damage because your, admins, are using, separate machine for admin tasks, now, one of the two machines can be a virtual, machine and there, is a great solution from Microsoft to implement, that it is called the, privileged, admin, workstation. That I encourage. You to look at finally. You can disable the local admin and the guest accounts, and all machines, just in case here. Are some good references, for you to learn more about some tools and technologies, we talked about so far. It's. Time for my favorite part of this session and be, prepared as we go deep into how sophisticated. Cyber attacks, happen, and how, you can as a security professional plan. Your security, controls, accordingly. Have. You ever heard about the term cyber, kale, chane you. Might know what it means even if you don't recognize its name a cyber, kill, chain reveals. The faces, of a cyber attack from, early reconnaissance. To the goal of data exfiltration, it, can, be used however by, security, professionals, to improve network defenses. On each stage of the cyber kill chain now, let me show you how, sophisticated. Attacks actually, happened, usually. An attacker selects. A target, and do some researches, to learn more about, vulnerabilities. This, is usually called, reconnaissance. Fees after. Doing all the research now. The attacker, is ready to move to the weaponization, fees, as he creates a malware trail, to one of the vulnerabilities, discovered guess. What's, the next step of course, the, attacker delivers, the malware to the target via an email attachment, USB. Drive or any other possible, way now. That man were lives in the target machine and network the, man will start a privilege escalation, on the local machine to elevate it's right and installs, an access point or a backdoor and then connects, to the command, and control center, so, that an intruder can now have remote access most. Of the time patient. Zero or the first machine, being hacked is not interesting, target by itself it just happened that it is the weakest entry point to attack the network so, the attacker now started, discovering, machines. And resources. And move from one machine to another this. Is called lateral movement. And he, keeps moving, until he gets the intended. Resource or credential, this, can be a domain admin credential, or perhaps, a database with. High valuable. Information. Which is the, data exfiltration, fees. The. Objective. Can also be data corruption or. Data destruction, now. Usually, it takes long, time, until someone, discover, is that an attack happened, and then, having forensic. Teams involved trying. To understand. How, the attack, happened, in the first place what, targets, are compromised, and what, was the damage these. Phases together are called the cyber killed chain but. Remember, we, can design and plan our security, strategy around the same phases of this, skill chain you. Can either focus all your security efforts, trying, to prevent the attacker, from installing, a malware inside, your network which, is the pre preach security. Approach or you can focus your security efforts, on detecting. The lateral, movement, of an attacker after. The attacker compromises a, machine, which, is called post. Preach, approach. Most. Security. Controls nowadays, focus, on the pre, preach approach, that. Is how to prevent the malware from getting delivered in the first place here. You have signatures. And packet, filters, that, are good in recognizing. Non threats and then, injecting.

The Results, in the form of antivirus. Signatures or. Intrusion, detection based. Signature, systems, but. With time attacks. Becomes, more sophisticated. And, they start to adapt to evade, detection using, technologies. Like, polymorphism. And with, that the, defenses, themselves, start to evolve and, we start seeing heuristics. And behavioral. Rules being, introduced, into the security, space including. Sandboxes. Where, pieces of the content, would be executed. In a safe isolated, environment, and then, monitored, for signs of malicious, behavior but. The problem, with this approach is, that it, really based, on having, identified. Threats, and then, constructing. These rules and behaviors. That looks for intruder, to identify, similar. Threats even if their signatures, have changed. The. Next wave however is machine, learning promise. Of being able to get ahead of a threat and not being reliant of having to have found something before. In order to be able to detect it for the first time and. Is driven by the introduction, of zero-day malware that are coming, out and the sophistication, of the adversary. Was growing, and therefore, there, was definitely, a desire, to get more sophisticated, defenses. The, promise, is being, able to build super, intelligent, machine that would be able to, reason its way through. The high volume, and velocity of that that, is prevalent, in, the cyber environment. Such. Machine, learning power can, be used in the pre preach approach, or the post preach approach, when, used in the post bridge approach, machine. Learning model is trying to detect anomalies, in, the network that might be caused by a lateral movement of an attacker, now. That you know the cyber cave chain let, me show you how to detect sophisticated. Malware attacks, using the pre pre each approach I'm going. To talk about Microsoft, Defender, ATT, or advanced. Threat protection and, how, it helps you detect 0 the attacks and respond. To emerging, threats, now. That you know what is the cyber kill chain let us talk about the, pre preached detection, and prevention. Triplets. Detection, and Prevention is focused, on identifying threats. Early. In the cyber kill chain and preventing. The malware from installing of the target machine. Endpoint, antivirus. Solution, is the, first and all this technology here but, with time and as the sophistication.

Of Attacks increase. We. Start seeing machine, learning playing a big role one. Way of using machine, learning at, the endpoint level usually, involves, classification. Or supervised. Machine, learning models. The. Game is typically, around, classification. Most, often being applied, to a particular, piece of content, in the network so. These, are things like Windows. Executable, PDF. Word, documents. Or networked streams that. Can be labeled, as being malicious, and, the, whole supervised. Technology. Is really, really, about starting. With labeled data that, feeds machine, learning, algorithms. And they, learn from those labels. Learn from the properties, of the files or, samples. That goes into that machine learning system, and then, it, predicts. If the file is clean or not now. Microsoft has. Great, solution. At the endpoint, level that is called, Microsoft. Defender. Advanced. Threat, protection or. Microsoft. Defender, ATP. That, applies, machine. Learning, at the endpoint, level, to detect and prevents, zero-day. Attacks I, know. Most of you still don't consider Microsoft. As a good security provider, but, Microsoft is changing. Their whole strategy when, it comes to endpoint protection in. Fact. The. Name when those defender, is not, just the antivirus. We all used you know and perhaps choose. Not to trust now, Microsoft. Defender. ATP. Or advanced. Threat protection is. The, new thing and it's a brand name that consists. Of many products, not just only the anti-malware, all, those, products, are working together tightly. Using. The power of the cloud and the, signals, from Microsoft. Threat intelligent. To, deliver a comprehensive solution, that can protect endpoints. From, zero day attacks and, most sophisticated malware. Out there as an. Example Windows. Defender smart, screen block, low, reputation, web, downloads, and even malicious, websites, while. Windows Defender endpoint. Protection, monitors. All windows processes, and files and then terminates. Or cleans any infection, found the, next innovation that comes with Microsoft Defender.

ATP, Is the ability. To automate, the responses. When, an attack is detected, which, is possible, through a recent acquisition, to, a company, called hexa, dyed so. That security admins. Don't need to worry much about, responding. To threats as this, is taken, care of by, the new, automation, capability. And. The. New way of defending, against, attacks, is by utilizing, the power of, the cloud and the, intelligent. Security, Groff at Microsoft, Microsoft. Intelligent. Security graph provides. Rich signals. From vast security, intelligence, machine, learning and, behavior, analytics, that Microsoft's. Allow you to consume and use to, enhance your protection and addiction speeds so. When Windows Defender encounters. A new file for example that. It does not know if it's bad or good file it sends. A file, query, to the cloud hey. Cloud do. You know about this file now. If the cloud knows about these files it will provide a feedback, to the endpoint. Otherwise. It will ask the, endpoint, to send a sample that. Client, holds, the, file and uploads. The sample, to the cloud the cloud, services, will process the sample and check against, machine, learning classifiers, trying. To find out whether, that file, is good or not and then. If the, file turned, out to be holding, a malicious, code the. Cloud will generate a new signature, to that file and send it back to the client not, only to that client it will send it to all clients, so that when they encounter this file they know already to block it now. You can see that many pieces, came, together to. Defend against, two days zero days attack you need a strong endpoint, detect and respond, engine, at the endpoint, level you need the power of the cloud to help you against zero. Day attacks and, you need the power of machine learning and AI at the endpoint, a data cloud to, recognize, new, type of malware, that are seen for, the first time and you might be asking does, this mean the client needs to consult, the cloud and wait for an answer and what, if there is no internet, connection, at that time, well. Here, is how things are designed. Each, Microsoft. Defender, client, has, local, machine learning models and behavior. Based detection algorithms. Right so. This means you can use all that logic, offline. Without consulting the cloud this, operation, takes only milliseconds. But. The client can consult the cloud by sending, only metadata. Only, metadata. So a cloud. Can, use metadata, beef's machine, learning models to determine if the file is malicious, or not this, only, take milliseconds. Also but. If the cloud requested. A sample, then. Sample. Analysis. Based machine, learning, models are used in the cloud which, might take seconds. Not milliseconds. Seconds. Now. In certain scenarios, detonation. Based machine learning models can be invoked which. Might take minutes, and big data analysis. Can, take up, to hours. What. This means is that the client, will, not wait for minutes, and hours if the file is infected. And the cloud could not determine it, is a bad file in seconds, the client will allow the file to run in the, background the. Cloud will continue, working, and analyzing, and might do detonation, based ml, models, and big data analysis, to give the truth about that file so, other clients. Are notified. And updated. Although. We lost patient, zero or that initial. Client who encountered, a file in the first place. When. It comes to the cyber kill chain we, find that Microsoft, Defender ATP fits in the advanced threat detection, area, trying. To detect and prevent malware, from installing and using machine. Learning to, detect, zero-day attacks. Now. It's time for our demo, finally. Now. Attacks, that introduce file based malware, using socially, engineered, emails, are, quite common, recipients. Are tracked into launching a backdoor that gives that hackers control, over what is now a compromised. Machine, now. This demo simulates. That attack. Simulates. The attack that are launched, using a socially, engineered, word document, in a spear phishing, email, the, attack is designed to ensure that the, receiver, does, not suspect a, thing and, opens. The document the. Document however, is weaponized. With, crafted. Macro, code that, silently. Drops, and loads an executable. File into, that machine the. Executable. Then writes, a registry, key and, creates a scheduled, task both, commonly. Known autostart. Extensible. Points after, the attack finishes, we, can explore, and understand. How, Microsoft Defender, ATP, detects. And respond. To, the attack and enables, prompt, investigation and. Response in. This demo I will start by importing, a machine to Microsoft, Defender ATP, then, I will open an infected, document, from the user machine, the, infected, document, drops a backdoor and creates, a scheduled, task for, the resistance I will, then show you how Microsoft, Defender.

ATP, Can, help you in all phases, of the incident, response management including. Detecting. And incident, mitigation. And containment, recovery. And remediation. You. Will then get a chance to, explore the Microsoft, Defender, ATP, management, portal and see, all the new features. Let's. Go to part, one of this demo onboarding. A machine to Microsoft, Defender ATP, in. This. Demo we are going to onboard a demo machine to Microsoft, Defender, ATP, do. That I will, go to Security. Center at windows comm to access the management, portal, then. Settings. And I. Will scroll down to find the, onboarding. Section, under, machine management, here. You can see different ways to deploy, Microsoft. Defender, ATP. Including. Group Policy, System. Center Configuration Manager. And, a, local script I will quickly choose, local, script, and click download package. I will, run this script to my machine to unboard it to Microsoft Defender. ATP, and as, you can see it takes couple, of seconds, now, this. Machine is, protected. And managed, by Microsoft. Defender, ATP. So. As you can see there is no need to install anything just. Running, a script to. Guide this machine to report to the right, Microsoft, Defender, ATP. Tenant and part. 2 of this demo I'm going to deliver a malware to the demo machine let's. Pretend that this machine is a Windows machine of, user who, received this Word document, it, could be delivered to him by email a chat window or by any other means, now, with the user opens that document, he sees this tempting. Yellow bar in the top to enable editing and then, of course there is that macro bar that users, cannot resist and they feel they need to hit that enable, content a few. Seconds later a hidden, powershell script is launched, from this documents, malicious, macro, and it performs. The following actions. First that. Macro drops, an executable, file which represents, the backdoor, onto, the desktop folder, then the scape goes, on to create a scheduled, task to launch the backdoor at a predefined, time and finally. When, the backdoor is launched, it creates, an auto start entry, under the registry, run key allowing, it to stay persistent by, starting, automatically. With Windows you can, also see that Microsoft, Defender, 80p detects what's happening, and this, is where we will continue the demo by logging, on to the Microsoft, Defender ATP management portal now. That the malware is delivered, to the user machine, we, are going in part three of this demo to detect and investigate, the attack on Microsoft, Defender ATP, portal. Let's. Switch to our defender, role and explore the attack from the soft point of view and the Microsoft, defender ATP. Portal, located, at Security, Center dot, windows.com. Microsoft. Defender ATP applies correlation. Analytics, and aggregate, or related, alerts into one incident, entity, allowing, the stock analyst, to understand, and deal with complex, threats across the organization. With, the right visuals, as we see here let, me select this incident, and then open the incident page you, can see in the incident, page all alerts, related, to this incident all machines. Involved. Investigations. Evidence. And graph here, I'm at the alerts page, reviewing. The incident alert, list and Falls, the progression, of the attack from this view you can dive into individual. Alerts you, can also see all machines, affected, by this attack here, we have three machines for example with high security, risk the.

Graph Is also a great, visualization. That shows all machines, involved in this attack and all, entities, involved so. For our machine we can see there is a PowerShell script, involved, and you, can see the hash value of, that script the. Script creates. A scheduled, task to, persist, after reboots. Here. Is also the office, word process, that starts the whole attack when a user opened, the infected, word document, and finally. You can see executable. File or backdoor, that, was dropped from the infected word document, now. Let me go to the demo three machine, and as, you can see each machine, protected. By Microsoft, Defender ATP, has its own page on the, machine page you. Can see different sections. Like alerts. Timeline. Security. Recommendations. Software. Inventory, and discovered. Vulnerabilities. You. Can see also the risk level, of that machine, the. Logged on user and basic. Information about the machine like the domain membership, and operating. System information, let. Me open this alert as we try to reproduce, how the attack took place the. Alert is a PowerShell. Dropped, a suspicious, file on this machine you can see the process 3 here. We have the Windows Explorer, l process, and the, word document, that triggers, the PowerShell script now. That script, the, two things drops. A backdoor and creates, a scheduled task as you can see here you. Can also go deeper and see default PowerShell script, that was invoked, on that machine and the hash value of that script you can also see the, hash value of the backdoor, file, and this, is useful if we want to search if the same backdoor, exists on other machines. Now. If you want to know more details about this scheduled task that was created, by this attack persist. After reboots, you. Can see here the comment, used to create a scheduled, task by the malware this. Is so powerful, I will. Go to the alerts page again and let's open this alert suspicious. PowerShell, command, line and as, you can see you, have the same process 3, and even an icy draw of showing all entities related, to this PowerShell here, you can see the same PowerShell script, is invoked, on a machine called demo one which, is so important, to know not only we discover the attack but, now we can reimagine, how it happens, and what machines. Were infected I will. Go now to the machines, timeline, to get more details about all events, happening, on that machine to, ease investigation. Here. You can see each and every process activities, recorded. For every machine for example you, can see we, have the office, click to run executable. Establishing. A connection to a remote IP you. Can see the command line that was run the, hash of the executable. And the remote IP URL. And even the port number, now. Let me filter, the timeline for alert, related. Events, and we, now have a filtered, view of all suspicious, activities, in that machine including, these a special, special command, line and to. Show you how this is a powerful thing leaveme, filter, the view and search, for PowerShell, you. Can see immediately I can see all events, and suspicious, activities. That involves, PowerShell, on this machine so. For example I have a PowerShell created. A script and the behavior is document, exploit, and we, have the Windward dot exe created. The process PowerShell. Here. We have the context, which is the user called master. Now. We know that the, word document. Created, a process called PowerShell, dot exe which, invoked, a suspicious. PowerShell, script that dropped, a backdoor and created a scheduled task now, that you learn how this attack took place it's, time to take some actions, I will go to the incident, section, and open the incident, page for this attack you, can see I have the action, and assistant section here, I can resolve the incident or assign. The incident, to me so that others, in the sub team can, acknowledge that I will be investigating. This one before, conducting, the investigation. However it's, good idea to look at the reports, dashboard. It provides. High-level, information about, alerts, and, Sheens related, information, generated. In your organization. The. Report includes, trends, and summary information on, alerts and machines knowing. The trends and summaries, related, to others and machines in your organization. Can, help identify where, focused, improvements, can be made for. Example if you see a sudden, spike and a specific kind of alert you can drill down and start investigating, directly. From, the relevant card to, pivot into the alert or machine, queue with, the relevant filters, applied, and determined.

What Action, to take to address an issue finally. I want to show you one, of my favorite, tools to help you investigate, incidents. Remember. That infected, word document, was, found, on the machine that, drops, a backdoor executable. And invoked a suspicious, PowerShell I can. Copy the hash of the word document, and use. The search bar to, see if, this word document, exists, on any, of my other machines, doing. That gives. Me more information, about this document, like the digital, signature and hash values, and whether, this document was seen on other organizations. Globally to, give you more insight if this is a targeted, attack or not you, will also get alerts related, to this document and, the most important, part is you get a list of machines, with Microsoft. Defender 80 pcs, that filed, a new organization. In this, case we have three machines where this word, document get dropped this. Is important, for you as a security professional because, it's, not just mitigating. The threat on one machine but you really want to, see if this attack spread, to other machines and then, cover all infected, machines during your investigation. Before. We end up this demo let me show you another interesting feature, called, automated, investigation. Microsoft. Defender ATP, can start, an investigation. And automate. A lot of actions, without human, interactions, and using. Machine learning here. You can see Microsoft, Defender. ATP, recognizes. A dangerous, tool called mimic at running on one of my machines and it, automatically. Started. An autumn investigation. For me if. You, watch one of the famous crime-scene, investigation. Or CSI, TV, series you, know that investigators. At the crime scene start by gathering. Evidences, and ask, witnesses, to learn more about what, just happened this. Is the same thing we have here under the investigation. Graph we, have the dead body which is the machine or machines list we. Have the witness list people, who might know more about this crime and in, our case we have the, entities. Analyzed so, Microsoft Defender, ATP is investigating. 2342. Files. 150. Processes, in this machine. 262. Services. And couple, of drivers and the. TV series the investigator. Will look at the list of phone calls made by the victim before the crime happens, and here Microsoft. Defender ATP, is investigating. The list of IP addresses this. Machine, talked, to during. That period and all, this investigation. To all these entities, is, finished. After 45. Seconds, only by defender, ATP, this is the true power of automation. We. Have the list of alert, part, of this investigation. List. Of machines, infected, a view. Of all entities, involved. In this investigation as, you can see we have three thousand, four hundred twenty entities, involved here and the, investigation. Log which, is list. Of action, Microsoft. Defender ATP, talk during this investigation and, we have one pending, action, that defender ATP asked, me to confirm before closing, this investigation. I already. Approved this pending, action, which is to quarantine, Democrats. Folders, and executable, in. Part. Four of this demo we are going to log into Microsoft, Defender ATP, portal, and collect. Investigation. Package from the infected machine when. Your forensic, team is involved to understand, how the attack, happened, and truly, understand. The depth of the attack the, first thing they want to do is to collect as much information from, the infected machine, Microsoft. Defender eight gives you the ability from the management, portal to, go and collect an investigation. Package that your forensic, team can, use so. Here I am logged to the Microsoft. Defender ATP management, portal and, I can see I have couple of alerts and they have some machines, at risks, let, me quickly choose, demo, 3 machine and open the machine page I can, quickly see the risk level, of that machine, obviously. There is one incident, with seven, active alerts, so, it might worth investigating. You. Can see a list of actions, in the top bar as this. Action. You as security professional, can perform, remotely, from the management portal without, going to the machine itself one, of the actions, is collect. Investigation. Package, if I, click it this, will send a request to the local, Microsoft, Defender ATP, agent, on that machine, instructing.

It To collect forensic, information right, now from, that machine and send, the results back to the Microsoft, defender ATP, cloud, services and then make it available to me as a security professional from. The portal so that I can continue my investigation. I already. Did that so in the Action, Center I can see there is an item waiting, for my review I can, see the investigation. Package is now, ready for me to review I will open it quickly and see what's inside here. You can see a lot of information, made available for, you to help you in your investigation let, me start by the auto runs as most, attacks involve modifying, the auto run on machines to persist, after reboots, so, it's a good thing to review the author and configuration, for the infected machine you also get a list of installed programs on, that machine the, list contains, information about, each application, installed. On the machine the. Date of installation and, other more detailed information. For you to review, next. We have the network, connections. Very, important, piece of information if. The, attack is still happening on that machine you want to learn about what this machine is communicating. With so. Here you have the active network connections. On that machine including ports. And IPS, this, machine is communicating, with right. Now you. Can also get both DNS, cache and ARP. Just, in case DNS poisoning or, ARP poisoning is taking place in this attack and to help you understand, how the machine is performing, name resolution, you. Also get the firewall, execution. Log and the, IP configuration, of, the machine which might become handy, for your forensic, team the, investigation, package also includes, a list of processes running on that machine which. Gives you deep inside about. What is happening inside that box without, even touching that machine you also, get, the scheduled, tasks, information. To, learn if an attacker creates, a scheduled task on that machine perhaps to persist, after reboots, as, you can see in the excel sheet here, you get a lot of information about each scheduled, task on that machine now. My favorite one is the security event log here, you can search inside, the security, log files of the infected machine and analyze, all security. Events to help you understand, more about the, attack happening, next. You get a comprehensive, information. About services, running on the remote machine including, service. Name running. State service. Account used to run each service, and the associated process, ID for running services you. Get also information, about SMP. Sessions, taking place on that machine because. Remember attackers. Might move from machine to another by using pass the hash technique, and they, can use SMP, for lateral movement, so, here you get a list of all SMP. Sessions. System. Information is another good information, you get as part of the investigation, package, to learn more about the machine and the hardware profile.

Finally. You get information about all local. Groups on that machine as you can see here you. Also get information about, session, information so, you, can see that a user code master, is connecting, to this remote machine using RDP, protocol, you, get a forensic, investigation. Summary, file containing, information about, how, Microsoft Defender, ATP collected, all this information, together for. Example Microsoft, Defender. ATP, agent on that machine ran. This command to collect the process, list and generate, a CSV file, this. Can help, you as a security professional to. Learn which commands you can use to, collect forensic information, which I believe is so handy in. Part. 5 of this demo we are going to explore Microsoft, Defender ATP, remediation. Actions like. Running antivirus scan, restrict. App execution. And isolate. Machine, these. Can be considered your mitigation. And containment, tools in your incident response management, I am, at the Microsoft, Defender ATP, management, portal and I can see I have many alerts in the active alerts section I can, find all machines at risk here so I will check on the demo, 3 machine to zoom in and see, what's happening on that machine, here. You can get the risk level of the machine and all, associated alerts, in the. Bar above you, also get list of actions, you can do remotely, to that machine as. Part, of the investigation or response, process, you. Can remotely initiate, an anti-virus scan to help identify and. Remediate, malware. That might be present on a compromised, machine, you, can select the scan type that you'd like to run you, can choose between a quick or a full, scan I will, type a comment and select, yes to start the scan, now. Immediately, the Action Center shows. The scan information as, you can see here now. On the machine itself you, can see that the scan completed, successfully. Returning. Back from the Microsoft, Defender, ATP management, portal perspective, the, Machine time line will include a new event reflecting. That a scan action, was submitted, on that machine Windows. Defender Av alerts will reflect any detection, that, surfaced. During the scan, this. Action, is available for, machines on Windows, 10 version. 1 709. Or later a Windows. Defender antivirus. Scan can run alongside other, antivirus, solutions. With a Windows Defender AV is the, active, antivirus, solution, or not so. Say for example you, have Symantec, AntiVirus running, on that machine and, you, are not using Windows Defender anti-malware. Or, real times, you, can still invoke a remote anti-virus, scan from Microsoft, Defender ATP portal, and this, will wake up the Windows, Defender anti-malware. Engine if it is not the primary anti-malware. Service. On that device and asked, it to run a quick or full, scan depending. On your choice in addition.

To The ability of containing, an attack by stopping malicious. Processes, by running an anti-virus scan you. Can also look down the device so that only programs. And executables. Signed by Microsoft, are allowed, to run on the device and, anything. Else will be blocked this. Method, of restriction. Can, help prevent an attacker from controlling, compromised, machines, and performing. Further malicious, activities. So. Let us restrict app execution. On the machine I will, type a comment and select. Yes, reselect app execution. Now, immediately, the Action Center shows, that the app restriction. Comment is bending, as I. Am running on the machine itself, you can immediately see, what the user can see on the machine I get, a notification that the device is restricted. Along with a message explaining. What is happening on that machine remember. That this action, only prevents, any program, not signed by Microsoft from, running on that machine so. The user can open Microsoft, Office applications. Without, any problems, and even browse the web but. If the, user tries to install anything that's signed by Microsoft. Like for example installing. Adobe Reader for example, this, action, will be blocked along with a notification. Explaining. To the end-user, what just happened, this is a good balance between security, and usability, from. Security, perspective we. Are restricting, executing. Malicious, code but, from the other side the user can open Outlook, Excel, and communicate, using Microsoft, themes for example, so, that he can still be productive while. Security, team's investigating. The problem now, depending, on the severity of the attack and the state of the machine you, can choose to reveal the, restriction, of applications. Policy, after you have verified that the compromised, machine has been mediated, and, you can see the action appearing in the action center which, becomes, the hub of notification. For all actions, performed, on that machine so, you can track back all, actions. Performed by you or, anyone, in, the security, operation team over time, now. That the app restriction. Is removed, we, can try to install Adobe, Reader on the machine again and as you can see there. Is nothing preventing you from doing so, now just, keep in mind that for the app restriction, to work you, need two things first. You, need to be running Windows, 10 version. 1 709. Or later and this. Feature is available if you are using Windows, Defender, antivirus. As your, malware, engine now, depending, what the severity of the attack and, the sensitivity, of the machine you might want to isolate the machine from the network this, action can help prevent the attacker from controlling, the compromised, machine and, performing, further activities.

Such As data. Exfiltration and. Lateral, movement, this machine, isolation. Feature disconnects. The compromised, machine from the network while, retaining, connectivity. To Windows Defender a tipi service, which, continues. To monitor the machine so, your machine will not be able to connect to any IP except. The, IPS, of the, Windows Defender a tipi cloud services. So that you can keep an eye on, what's happening on that machine and continue. Your investigation. Now, if the machine is running Windows 10 version. 1 709. Or later, you, get another cool feature you can do a selective. Isolation. Which, means you, can see this machine is not allowed to connect to any IP except, three services, number, one is the, Microsoft, Defender ATP cloud services, the second one is the exchange online services, and third, is the Skype for business services. As you, can see here this. Means you don't want the user to be able to do anything, on the machine in terms of network connectivity except. Using Outlook and Skype for business which. Makes it easier for the user to contact the help desk or the other way around it is easier for the security, team to contact, the user of the machine using, Outlook. Or Skype for business explaining. To him what is happening now, if I choose to isolate, the machine the end user of the machine will receive a notification card, stating. That the network is disabled, and that your IT administrator, has caused Windows, Defender to disconnect, your device and, you should contact, IT health discs now. Just a reminder the. Full isolation works. For Windows 10 version, 1 703. Or later, while. The Selective, isolation, is available. On Windows 10 version, 1 709. Or later, selective. Isolation, means the, machine can only talk to Microsoft, Defender ATP cloud services, and allow, the user to use Outlook and Skype for business, now. Depending, on the severity of the attack and the state of the machine you can choose to release the machine from isolation, after you have verified that. The compromised, machine has been remediated. In part. Six of this demo we are going to explore more features, and Microsoft Defender ATP that helps you hardened, your environment, by, following security, and configuration. Recommendations, from Microsoft, we. Are going to explore secure, score advanced. Hunting, threat, analytics ad threat. And vulnerability management. In the Microsoft, Defender ATB, I'm, logged onto Microsoft Defender, ATP management, portal and I will go to the secure, score section, the. Security, score dashboard, expands, your visibility, into the overall, security posture, of your organization. From, this dashboard you, will be able to quickly assess, the security posture of you all organization. See, machines that require attention as well, as recommendations for, actions, to further reduce, the attack service, in your organization, all in one place from, there you can take action based, on the recommendation, configuration, baselines, now, the Microsoft. Security, or tile you see here is a reflective. Of the sum of two things first. The, Windows, Defender security. Controls that are configured, according to the recommended baselines, and the. Office, 365, secure. Score it. Allows you to drill down into each portal, for, further analysis. Just. In one place you. Can also improve this score by taking the steps in configuring. Each of the security, controls in the optimal, settings now. Let me go to the threat analytics, section, threat. Analytics, is a set, of interactive. Reports, published, by the Microsoft. Defender ATP, research team as soon as emerging, threats and outbreaks, are identified. The. Reports, help, you assess, the, impact, of threats, in your organization. And provides, recommended, actions, to contain increase. Organizational. Resilience, and, prevent specific. Threats so, let me open this threat for example, and you can see executive. Summary information and, deep dive on how this threat actually works. In a nice visual, you, also get some mitigation, steps and detection details, all. To help you understand, how this thread, actually works, the nice thing is that for this image, threat you can see a list of machines. Vulnerable. To this threat and whether, this threat, is mitigated. Across all your workstations. I will, go now to the threat and vulnerability management. Section which helps, you detect, and assess threats, across endpoints, for example, I can see many areas of improvement, in my environment these. Areas, are listed here such, as the, application. The OS Network, accounts. And security, controls if. We take the operating, system area of improvement for example, we, can see our score is 41.

Out Of. 183. Which, means I can, do better by following Microsoft, recommendations, let, me click on the operating system improvement, area and learn more how I can raise my configuration score, here, I get list of security, recommendations like. This one right here and I, get information about. The security recommendation. And how, to harden, my workstations. Along, with list of machines, who, don't comply which. I believe is a great insight, that helps you quickly fix. This on the list of machines here instead. Of just going, to every machine and trying to solve the problem, if. We go to the security, controls improvement, area you, can see also a couple of recommendations like, enabling. Smart screen some, firewall, rules configuration, recommendations. And enabling. Pet Locker on Windows machines again. For each one of these recommendations you, get the list of machines, that don't comply now. Your objective would, be to raise your overall, configuration score. By hardening, pure machines from emerging, threats and following Microsoft, recommendations. Another. Area I want to talk about is advanced, hunting. Which, is a super, powerful, tool during, your investigations. Here, you can get the schema, for information, collected my one true soft defender ATP and this, helps you build your own queries. But. Don't worry you, have some ready queries, for you made by Microsoft, engineers, like searching. For heading, PowerShell, windows across, all your workstations, here. You can see the query language which. Is quite simple and down, you can see we have one machine, called demo 3 that, Microsoft, Defender ATP, agent observed the creation, of hidden. Powershell, windows this. Can be a suspicious, activity, that worth investigating. You can also query for all internet, downloads, across all your machines and here, we have this machine and, this machine downloaded. Adobe Reader from, the internet using a browser now. This become handy if for, example you, are investigating, an infected machine and you want to filter this output, to see what this machine downloaded.

From The internet during. An attack. Finally. Remember that attacks happen, usually using, the context, of a compromised, user so. If you suspect that an attacker stole, the credential, for a certain, user and use, that credential to perform pass the hash to, move to other machines you can switch your investigation. From focusing, on the workstation to. Tracking identities, and what they are doing across machines and, identity. Tracking, allows, you to track lateral, movement, inside your environment, so I can search for a user called master, and ask. Microsoft. Defender ATP to return all his, activities, across, all machines so, here we have the user logging on to two machines and we can zoom in and see what activities, or others are associated with this user on, a certain machine which is so powerful, now, Microsoft has. A great solution called, as your advanced, threat protection or, as your ATP that, can integrate with, Microsoft. Defender ATP, and fill, the gap when it comes to detecting, anomalies. Using. Compromised, credentials I highly. Recommend that you have a look to add your advanced, threat protection and, enable. The integration, between the two products. I'm. Going to leave you with some re

2019-05-19

Show video