![Page 1: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/1.jpg)
Detecting Computer Intrusions:
Are You Pwned?
![Page 2: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/2.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 2
• Former computer agent for the U.S. Department of Defense and Federal Bureau of Investigation (FBI)
• Former computer crime investigation instructor at the FBI Academy
• Co-author of Mastering Windows Network Forensics and Investigations
• Instructor for U.S. State Department • CISSP, MCSE, EnCE, blah, blah, blah
Steve Anson
![Page 3: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/3.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 3
Behavioral Indicators
Forensic Indicators
Detecting Intrusions
![Page 4: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/4.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 4
• “Clues” you may be hacked
Behavioral Indicators
![Page 5: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/5.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 5
![Page 6: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/6.jpg)
Censored
![Page 7: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/7.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 7
Behavioral Indicators
• Sorting False Alarms Takes Time
IDS / IPS Alert
• Inbound or Already Installed?
Antivirus Alert
• Again, Tricky to Configure
SEIM Alert
![Page 8: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/8.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 8
• Scanning – Can be quite loud (lamers, worms) – Often more controlled
(more dangerous)
Behavioral Indicators
![Page 9: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/9.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 9
• E.T. Phones Home – Beaconing
Behavioral Indicators
![Page 10: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/10.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 10
• The massive sucking sound of all your data leaving
– Data exfiltration can be rapid and massive in scope – Attacker may stage for years and then pull data over one
weekend
Behavioral Indicators
![Page 11: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/11.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 11
• Traffic that’s just not right – Large file transfers over port 53 – Lots of extraneous SSL traffic – SSL traffic on port 80
Behavioral Indicators
![Page 12: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/12.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 12
• Unexplained user accounts
– Old accounts that are reactivated – New accounts – Old accounts with new permissions
Behavioral Indicators
![Page 13: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/13.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 13
Forensic Indicators
Logs
Malware Time
![Page 14: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/14.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 14
• Great if you have them
IDS / IPS
• Track connections in and out
Firewall
• Unusual logon times or locations
Authentication Servers
Logs
![Page 15: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/15.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 15
• Event ID 528 (Logon Type 10), 540, 672, 673
Remote Logon
• Event ID 7035, 7036
Psexec
• Event ID 672 (Failure), 675, 676, 680, 681
Password Guessing
Windows Logs
![Page 16: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/16.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 16
• Standard of analysis • Used to detect changes • Some say its time has passed
Timestamps
File System Forensics
![Page 17: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/17.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 17
File System Forensics
![Page 18: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/18.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 18
Windows Logs
MAC Times
MAC Times
MAC Times
![Page 19: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/19.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 19
• Close names • svvchost • svchosts
• Alternate locations
Bad Binaries
File System Forensics
![Page 20: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/20.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 20
• Running processes • Open ports • Active connections • Malware only in RAM
Memory Forensics
File System Forensics
![Page 21: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/21.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 21
• Old school • netstat –ano (or netstat –anp) • tasklist /SVC (or ps –ef)
• New school • HBGary, Volatility
Memory Forensics
File System Forensics
![Page 22: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/22.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 22
• MD5 or SHA1 hash comparisons • Same limitation as any
signature based solution • Good at identifying other copies
Hash Analysis
File System Forensics
![Page 23: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/23.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 23
Network Traffic Forensics
Sweeping Entire Enterprise
Enterprise Forensics
![Page 24: Detecting Computer Intrusions: Are You Pwned?conference.hackinthebox.org/hitbsecconf2009dubai/materials/D2T1 … · © 2009 Forward Discovery, Inc. Forward Discovery – Detecting](https://reader036.vdocument.in/reader036/viewer/2022071216/604713daa1fcfe054248b7da/html5/thumbnails/24.jpg)
© 2009 Forward Discovery, Inc. Forward Discovery – Detecting Computer Intrusions 24
Steve Anson Forward Discovery Middle East FZ-LLC Dubai Knowledge Village Block 6, Office F08
Mobile – +971 50 287 1062 Email – [email protected] Web – www.forwarddiscovery.com
Contact Information