dvancedersistenthreatdvancedersistenthreat
Не каждая атака APT…
Advanced Persistent Threat Что же это? Прицельные атаки с помощью широко распространенных автоматизированных средств, скоординировано исполняемые неизвестным кругом лиц, настойчиво и достаточно профессионально с целью достижения долговременных стратегических целей
Advanced Persistent Threat Почему?
Наш план экстренного реагирования и восстановления после катастрофы Advanced Persistent Threat Что делать?
Global Enterprise 200+ offices Outsourced Centralized IT Global Enterprise 200+ offices Outsourced Centralized IT Single forest Active Directory Windows 2000/2003/ users/desktops servers Single forest Active Directory Windows 2000/2003/ users/desktops servers
JulyAugSeptOctJune Oct 2009
Internet
FileNameDescription app.aspxBackdoor:ASP/Aspy.A ASPX Spy enables uploading of files through the web browser and executing them on the web server. Download: mt.exeBackdoor:Win32/Agent.JTBackdoor + password stealer rebind.exeBackdoor:Win32/SmallRemote command shell web.aspBackdoor:ASP/AceASP backdoor zwshlx.exeBackdoor:Win32/RatRemote administration tool, backdoor ver.exe Backdoor:Win32/Remosh.A.d r Multi functional backdoor sethc.exeBackdoor:AutoIt/Acidoor.AControl panel applet that provides a command shell
FileNameDescription api.aspHackTool:ASP/Oxess.AAllows retrieval of websites similar to a proxy lcx.exeTool:Win32/TransmitProxy tool app.s23.aspxHackTool:ASP/Websniff.AASPX network sniffer and password stealer hash.exeHackTool:Win32/GsecdumpPassword dumper tmplugin.dllPWS:Win32/LsagrabLSA secrets dumping DLL p.exeHackTool:Win32/PWDump.APassword dumper fgdump.exeHackTool:Win32/FgdumpTools to dump LSA secrets and other credentials hash2.exe Part of commercial password recovery tool (SAMInside) hookmsgina.dllPWS:Win32/Hine.A!dllPassword stealing hook s.exeTool:Win32/Tcpportscan.Dportscan utility
FileNameDescription nc.exeNetCatPort scanner, tunneling, proxy, webserver psexec.exePsexecTelnet-replacement, execute processes, remote console rar.exeRARCompression utility portqry.exePortQueryutility to test TCP/IP connectivity strexp.exeStringExpanderString expander testport.exeTestPortportscan utility powershell.exePowerShell… hyena.exeHyenaActive Directory administration tool
Remediation effort New environment Current environment Raising the barSecuring the crown jewelsBack to normal
FindingValue Many Admins75% Admins with "Password Never Expires"91% LAN Manager Hash enabled75% Group Policies not used to enforce security61% No documented disaster recovery plan50% Backups not secured53%
Automation applied to an efficient operation will magnify the efficiency… automation applied to an inefficient operation will magnify the inefficiency - Bill Gates
Sample Fill
Демонстрация
Видео
Анонс
Get-Process –computername srv1 class TechEdProgram { public static void Main() { System.Console.WriteLine("Hello, Tech·Ed!"); }