SlideShare ist ein Scribd-Unternehmen logo

Host Intrusion Detection like a Boss

André Lima
André Lima

Introduction to the stealth mode functionality an open source Host Intrusion Detection System called Samhain and analysis on how exactly it applies it in the operating system.

Technologie
1 von 21
C:> telnet Host.Intrusion.Detection...like.a.boss HELO Confraria de Segurança de Informação PRESENTATION FROM: André Lima RCPT TO: Confraria@Forum.Picoas WHEN 26 Nov 2014 DATA Boa noite a todos! . QUIT by André Lima, Associate CISSP / ISO27001 / CCNA Security @0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
$whois andrelima • Consultant at Integrity S.A. • Associate Certified Information Systems Security Professional (CISSP) • ISO 27001 LA • CCNA Security • CCNP Route • Engenharia Informática @ ISEL 0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
$cat agenda.txt • Context • Intro to Samhain • Stealth – how it works • Stealth – installation details • Demo • Precautions • Conclusions • References • Questions
$patch -p1 < ../backdoor.c • Writing files – Patching – Adding backdoor user – Crontab – Altering logs – Rootkits – Backdoor service – Trojaned binaries ... Limits? your imagination!
But also... • Multi-admins environment
$samhain -h • Open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows) • Supports client-server model: configuration + database files • Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, and detection of rogue SUID executables, etc http://www.la-samhna.de/samhain/
• File signatures $samhain -h – Inode + timestamps + owner and group permissions + number of hardlinks + etc • File system SUID/GUID Binaries • Detecting kernel rootkits • Checking for open ports • Log file validation • User ID (Linux Audit Daemon) • ... • Stealth mode!
$samhain –h | grep ‘Stealth Mode’ • What does it mean? – obfuscating strings on binaries + logfile + database (XML DB) – configuration can be steganographically hidden in a postscript image file – renaming the HIDS binary (and auxiliary applications) – Not enabled by default but advised: delete man pages folder!
$samhain –h | grep ‘Stealth Mode’
$samhain –h | grep “Stealth Mode”
$samhain –h | grep “Stealth Mode”
env X='() { :; }; echo "VULNERABLE DEMO"' bash -c id
Take some precautions!
echo $Precautions Document the stealth name!
echo $Precautions $ history -c
echo $Precautions
echo $Precautions
echo $Precautions
echo $Conclusions • Be organized – Know your assets • What users are supposed to be on a specific server • What ports must be on • What files (config / executables) must not be altered – Document your stealth configurations • Be very specific about what you’re monitoring (minimize false positives)
echo $references • Samhain documentation – http://www.la-samhna.de/samhain/s_documentation.html
$read Questions

Empfohlen

Find the Hacker
Find the HackerFind the Hacker
Find the Hacker
Sysdig
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
Sysdig
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Backup using rsync
Backup using rsyncBackup using rsync
Backup using rsync
Gaurav Mishra
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOps
Ferenc Erki
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
NotSoSecure Global Services
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
Tony Godfrey
 
Unix_basics
Unix_basicsUnix_basics
Unix_basics
Alexander Polovinko
 

Empfohlen

Find the Hacker
Find the HackerFind the Hacker
Find the Hacker
Sysdig
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
Sysdig
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Backup using rsync
Backup using rsyncBackup using rsync
Backup using rsync
Gaurav Mishra
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOps
Ferenc Erki
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
NotSoSecure Global Services
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
Tony Godfrey
 
Unix_basics
Unix_basicsUnix_basics
Unix_basics
Alexander Polovinko
 
New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentation
rajsandhu1989
 
Getting Started with PureScript
Getting Started with PureScriptGetting Started with PureScript
Getting Started with PureScript
John De Goes
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
Puppet
 
Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0
bigendiansmalls
 
Terraform 9
Terraform 9Terraform 9
Terraform 9
Jerry Singh
 
Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017
Imad Hsissou
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
antitree
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"
Maciej Lasyk
 
Cis222 9
Cis222 9Cis222 9
Cis222 9
Russ Ferriday
 
Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009
FSCONS
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
DefensiveDepth
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
behrad eslamifar
 
Nix for Python developers
Nix for Python developersNix for Python developers
Nix for Python developers
Asko Soukka
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
Shakacon
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
antitree
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Gosuke Miyashita
 
CandH Card-PROOF
CandH Card-PROOFCandH Card-PROOF
CandH Card-PROOF
David Vumbaco
 
Stanford University
Stanford UniversityStanford University
Stanford University
Bonnie Jenkins
 

Weitere ähnliche Inhalte

Was ist angesagt?

New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentation
rajsandhu1989
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Gosuke Miyashita
 

Was ist angesagt? (20)

New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentation
 
Getting Started with PureScript
Getting Started with PureScriptGetting Started with PureScript
Getting Started with PureScript
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
PuppetConf 2016: Avoiding Toxic Technical Debt Derivatives – R. Tyler Croy, C...
 
Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0Mainframe Hacking - Derbycon 5.0
Mainframe Hacking - Derbycon 5.0
 
Terraform 9
Terraform 9Terraform 9
Terraform 9
 
Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017Demystifying Docker Networking Devoxx MA 2017
Demystifying Docker Networking Devoxx MA 2017
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"
 
Cis222 9
Cis222 9Cis222 9
Cis222 9
 
Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009Libssh2 at FSCONS 2009
Libssh2 at FSCONS 2009
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Nix for Python developers
Nix for Python developersNix for Python developers
Nix for Python developers
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
Inside Sqale's Backend at Sapporo Ruby Kaigi 2012
 

Andere mochten auch

For everything
For everythingFor everything
For everything
jagerns
 
RICHARD ADAMS RESUME
RICHARD ADAMS RESUMERICHARD ADAMS RESUME
RICHARD ADAMS RESUME
Richard Adams
 
Collection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela ZahidCollection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela Zahid
Muhammad Tufail Khan
 
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 YearsSsomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
Somnath Sarkar
 

Andere mochten auch (16)

CandH Card-PROOF
CandH Card-PROOFCandH Card-PROOF
CandH Card-PROOF
 
Stanford University
Stanford UniversityStanford University
Stanford University
 
For everything
For everythingFor everything
For everything
 
Dog healt terminado
Dog healt terminadoDog healt terminado
Dog healt terminado
 
Tema 1. TIC
Tema 1. TICTema 1. TIC
Tema 1. TIC
 
Pee pe. lei estadual nº 15.533 de 23.6.2015
Pee pe. lei estadual nº 15.533 de 23.6.2015Pee pe. lei estadual nº 15.533 de 23.6.2015
Pee pe. lei estadual nº 15.533 de 23.6.2015
 
Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2Lauro gallegos eje 2_actividad 2
Lauro gallegos eje 2_actividad 2
 
RICHARD ADAMS RESUME
RICHARD ADAMS RESUMERICHARD ADAMS RESUME
RICHARD ADAMS RESUME
 
Sky aangan plots
Sky aangan plotsSky aangan plots
Sky aangan plots
 
Inmuno trabajo
Inmuno trabajoInmuno trabajo
Inmuno trabajo
 
Software Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software DevelopmentSoftware Project Documentation - An Essence of Software Development
Software Project Documentation - An Essence of Software Development
 
Conexiones para Riego de Aluminio
Conexiones para Riego de AluminioConexiones para Riego de Aluminio
Conexiones para Riego de Aluminio
 
Collection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela ZahidCollection development by Muhammad Tufail Khan & Aneela Zahid
Collection development by Muhammad Tufail Khan & Aneela Zahid
 
Sindhi society and culture
Sindhi society and cultureSindhi society and culture
Sindhi society and culture
 
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 YearsSsomnath Sarkar - Dy Manager adminstration - 10.5 Years
Ssomnath Sarkar - Dy Manager adminstration - 10.5 Years
 
HYMER_Nova_2010_I.pdf
HYMER_Nova_2010_I.pdfHYMER_Nova_2010_I.pdf
HYMER_Nova_2010_I.pdf
 

Ähnlich wie Host Intrusion Detection like a Boss

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
Michael Ducy
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 

Ähnlich wie Host Intrusion Detection like a Boss (20)

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Network Securities.pptx
Network Securities.pptxNetwork Securities.pptx
Network Securities.pptx
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Host Intrusion Detection like a Boss

  • 1. C:> telnet Host.Intrusion.Detection...like.a.boss HELO Confraria de Segurança de Informação PRESENTATION FROM: André Lima RCPT TO: Confraria@Forum.Picoas WHEN 26 Nov 2014 DATA Boa noite a todos! . QUIT by André Lima, Associate CISSP / ISO27001 / CCNA Security @0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
  • 2. $whois andrelima • Consultant at Integrity S.A. • Associate Certified Information Systems Security Professional (CISSP) • ISO 27001 LA • CCNA Security • CCNP Route • Engenharia Informática @ ISEL 0x4ndr3 al@integrity.pt https://www.linkedin.com/in/aflima
  • 3. $cat agenda.txt • Context • Intro to Samhain • Stealth – how it works • Stealth – installation details • Demo • Precautions • Conclusions • References • Questions
  • 4. $patch -p1 < ../backdoor.c • Writing files – Patching – Adding backdoor user – Crontab – Altering logs – Rootkits – Backdoor service – Trojaned binaries ... Limits? your imagination!
  • 5. But also... • Multi-admins environment
  • 6. $samhain -h • Open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows) • Supports client-server model: configuration + database files • Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, and detection of rogue SUID executables, etc http://www.la-samhna.de/samhain/
  • 7. • File signatures $samhain -h – Inode + timestamps + owner and group permissions + number of hardlinks + etc • File system SUID/GUID Binaries • Detecting kernel rootkits • Checking for open ports • Log file validation • User ID (Linux Audit Daemon) • ... • Stealth mode!
  • 8. $samhain –h | grep ‘Stealth Mode’ • What does it mean? – obfuscating strings on binaries + logfile + database (XML DB) – configuration can be steganographically hidden in a postscript image file – renaming the HIDS binary (and auxiliary applications) – Not enabled by default but advised: delete man pages folder!
  • 9. $samhain –h | grep ‘Stealth Mode’
  • 10. $samhain –h | grep “Stealth Mode”
  • 11. $samhain –h | grep “Stealth Mode”
  • 12. env X='() { :; }; echo "VULNERABLE DEMO"' bash -c id
  • 14. echo $Precautions Document the stealth name!
  • 15. echo $Precautions $ history -c
  • 19. echo $Conclusions • Be organized – Know your assets • What users are supposed to be on a specific server • What ports must be on • What files (config / executables) must not be altered – Document your stealth configurations • Be very specific about what you’re monitoring (minimize false positives)
  • 20. echo $references • Samhain documentation – http://www.la-samhna.de/samhain/s_documentation.html