BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp

•

6 gefällt mir•1,409 views

Jagadeesh Parameswaran, Microsoft Rahul Sachan, Microsoft Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.

Technologie

Screenshots present in this session are either from the
Production environments (with obfuscated contents) or
from the Demo environments

Digital Crimes Unit (DCU)
Microsoft Azure (C+AI Security)
Microsoft Security Response Center (C+AI Security)
Cyber Security Services Engineering
Microsoft Threat Intelligence Center (MSTIC)
Office 365 Security
Data & Intelligence (DI)
Cyber Defense Operations Center (CDOC)

Consoles
Host Network
Big Data (Queries & Analytics)
SIEM
IDS++FW++

How does Windows Defender Advanced Threat
Protection (WDATP) helps us?
Windows Defender ATP (WDATP) works behind the scenes
to better detect threats on the network and helps the SOC
investigate and respond to data breaches.

Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
SAM-R Enumeration
LDAP Enumeration (Roadmap)
Brute force using NTLM, Kerberos, or LDAP
Honey Token account suspicious activities
Unusual protocolimplementation
Malicious Data Protection Private
Information (DPAPI) Request
Suspicious VPN Connections
Abnormal authentication
requests
Remote Execution
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
Malicious service creation
MS14-068 exploit
(Forged PAC)
MS11-013 exploit
(Silver PAC)
Skeleton key malware
Golden ticket non-existent account
Remote execution
Malicious replication requests
Abnormal Modification of Sensitive
Groups
Suspicious domain controller
promotion & replication (potential
DCShadow attack)Compromised
Credential
!
Reconnaissance
!
!
!
Lateral
Movement
Privilege
Escalation
Domain
Dominance
Azure ATP (AATP) detects a WIDE RANGE of Suspicious
Activities on the AD & UEBA Monitoring perspectives
Covers various Active Directory and User accounts related attacks across the Kill-Chain phases

Horizontal
Bruteforce:
• a small set of passwords across
many users
Vertical
Bruteforce:
• a large set of passwords on just a
few users

A real attack by an
adversary
A service / application
that leverages LDAP
Simple Binds rather
LDAPS

Changed
passwords of the
compromised users
Checked WDATP
events in the victim
machines to
identify any
suspicious process
executions later the
attack
Asked them to use
Strong Passwords
to prevent
Bruteforce attacks
Checked any
suspicious login for
the user accounts
using MCAS to
identify any
possible
compromise /
access of Exchange
Online / SharePoint
Online Data

Attacker was contacted
to identify the
necessary reasons for
the attack
This was done for
experimental purposes
by the attacker – as a
Script kiddie
Attacker was educated
NOT to use any
malicious activities
using Tools or Scripts
from the Microsoft
CORP domain joined
machines

LDAP Simple
Bind Bruteforce
attacks are
simple, but are
difficult to
track
Using AATP &
WDATP, BF
attack can be
quickly
detected
Complex,
Strong
passwords help
to prevent
Bruteforce
attacks

Compromised Acc
1
2
Victim User 1
Victim User 2
Domain Admin
DC
ATTACKER
BRUTE FORCE
COMPROMISED ACCOUNT
MOVE LATERALLY
1
2
Attack Workflow

In less than two hours
of successfully
achieving access to the
permanent domain
admin account,
Attacker used its hash
to replicate the
directory to their
machine: Desktop-xxxx
…. a non domain joined
box…… a rogue
Domain Controller …

Compromised
account + Non
DJ machine +
Mimikatz can
bring troubles
to the AD
AATP provides
visibility to the
attack targeting
AD environment
Rich time lines
of WDATP helps
to pinpoint
anomalies of
Domain joined
machines

Securing Privileged Access
Office 365 Security
Rapid Cyberattacks
(Wannacrypt/Petya)
https://aka.ms/MCRA Video Recording Strategies
SQL Encryption &
Data Masking
Office 365
Dynamics 365
+Monitor
Data Loss Protection
Data Governance
eDiscovery

BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp

Weitere ähnliche Inhalte

Was ist angesagt?

From ATT&CKcon 3.0 By Jared Stroud, Lacework Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.

ATT&CKING Containers in The Cloud

MITRE ATT&CK

Matthieu Faou, ESET After having tracked Turla's activities for several years, we now have a unique understanding of their Tools, Tactics and Procedures (TTPs). Turla, also known as Snake, is an espionage group known for targeting governments, diplomats and militaries all around the world. One of their first documented campaign was against the US military ten years ago and they are still very active. In early 2018, the group broke the news for having successfully breached the German Foreign Office. Some details quickly leaked in news outlets. Turla operators were in the German government network since the end of 2016 and they used a backdoor fully controlled by emails. As no public information were available online, we started analysing the so-called Outlook Backdoor. During our investigation, we were able to identify other important victims such as two Ministries of Foreign Affair in Europe and a large defense contractor. In this talk, we will present a detailed analysis of this malware, which is a full-featured backdoor targeting email clients. Its main target is Microsoft Outlook but it can also interact with The Bat!, an email client widely used in Eastern Europe. To interact with Microsoft Outlook, it leverages the Messaging Application Programming Interface (MAPI). The commands are received through specially crafted PDF attachments that are then decoded and interpreted by the backdoor. There is no strong authentication to verify the identity of the command sender. Thus, anybody understanding the command format would be able to control the compromised machines. It leads to additional security risk for the victims. The malware also exfiltrates highly-sensitive data such as the outgoing emails sent by the infected user. The hardcoded e-mail address used for exfiltration was registered at a popular European free email provider. We will present the analysis of the complex structure that embeds the commands. We will also provide a demo showing it is possible to fully control an infected machine by just sending an email with a PDF attached. This unusual way of communication for a backdoor helps the attackers to blend in the normal network traffic and bypass security monitoring solutions. We will also present older versions of this backdoor, as we were able to trace it back as early as 2013. Finally, we will discuss possible mitigations and methods to detect this backdoor.

BlueHat v18 || A turla gift - popping calc.exe by sending an email

BlueHat Security Conference

Malware for Red Team

Satria Ady Pradana

CSW2017 chuanda ding_state of windows application security

CanSecWest

From ATT&CKcon 3.0 By Jason Wood and Justin Swisher, CrowdStrike When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

MITRE ATT&CK

ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security? This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.

MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire

MITRE - ATT&CKcon

Breaking and entering how and why dhs conducts penetration tests

Priyanka Aash

2012 S&P Paper Reading Session1

Chong-Kuan Chen

Purple team is awesome

Sumedt Jitpukdebodin

PIDS research slides from MALCON 2018 conference - Asaf Hecht

Asaf Hecht

Rugged DevOps at Scale with Rich Mogull

SeniorStoryteller

CSW2017 Geshev+Miller logic bug hunting in chrome on android

CanSecWest

Security War Games

SeniorStoryteller

Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018. To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks. This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.

MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...

MITRE - ATT&CKcon

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

Christopher Gerritz

Real World Application Threat Modelling By Example

NCC Group

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

CanSecWest

CSW2017 Enrico branca What if encrypted communications are not as secure as w...

CanSecWest

Cloud attack vectors and security controls are different. Many companies breached on AWS moved sensitive data to AWS following best practices or implementing cloud security controls correctly. Reports indicate that hybrid cloud implementations have weaknesses and research finds that devs are the new security target. See Kolby Allen and Teri Radichel duke it out as Teri attacks an AWS account and Kolby defends it. (Source: RSA Conference USA 2018)

Red Team vs. Blue Team on AWS

Priyanka Aash

Attacker's Perspective of Active Directory

Sunny Neo

Was ist angesagt? (20)

ATT&CKING Containers in The Cloud

BlueHat v18 || A turla gift - popping calc.exe by sending an email

Malware for Red Team

CSW2017 chuanda ding_state of windows application security

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire

Breaking and entering how and why dhs conducts penetration tests

2012 S&P Paper Reading Session1

Purple team is awesome

PIDS research slides from MALCON 2018 conference - Asaf Hecht

Rugged DevOps at Scale with Rich Mogull

CSW2017 Geshev+Miller logic bug hunting in chrome on android

Security War Games

MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents

Real World Application Threat Modelling By Example

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

CSW2017 Enrico branca What if encrypted communications are not as secure as w...

Red Team vs. Blue Team on AWS

Attacker's Perspective of Active Directory

Ähnlich wie BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp

CSF18 - Incident Response in the Cloud - Yuri Diogenes

NCCOMMS

How to protect your corporate from advanced attacks

Microsoft

The hacker playbook: How to think and act like a cybercriminal to reduce risk...

Paula Januszkiewicz

Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014

Andris Soroka

Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...

JamieWilliams130

Presentation data security solutions certified ibm business partner for ibm...

xKinAnx

In this presentation from her webinar, Paula Januszkiewicz, Security MVP, CEO at CQURE takes you on a technical deep dive in the Active Directory monitoring world. Topics covered include: - The importance of properly tracking changes to AD - Why (and how) changes to AD could impact the security of the environment - How to monitor AND INSPECT some key situations in AD - How to tell who, a group of Admins, has made specific changes You can watch the on-demand webinar here: https://www.beyondtrust.com/resources/webinar/active-directory-auditing-tools-building-blocks-just-handful-dust/

Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?

BeyondTrust

Gartner Security & Risk Management Summit 2018

Paula Januszkiewicz

Mitigating Malware Presentation Jkd 11 10 08 Aitp

Joann Davis

Corporate Security Issues and countering them using Unified Threat Management...

Rishabh Dangwal

Which Came First: The Phish or the Opportunity to Defend Against It

JamieWilliams130

Cloud Security or: How I Learned to Stop Worrying & Love the Cloud Presented by Marija Strazdas - Sr. Solutions Engineer, Alert Logic Presented to the Boston Amazon Web Services Meetup Group on Jun 5 & 21 https://www.meetup.com/The-Boston-Amazon-Web-Services-Meetup-Group/ Summary/Themes: - Understanding your attack surface is critical to deploying the right security controls. - Attack surface in the cloud environments is significantly different than on-premises - Dominant cloud exposures are often misunderstood

Cloud Security or: How I Learned to Stop Worrying & Love the Cloud

MarkAnnati

Week Topic Code Access vs Event Based.pptx

ArjayBalberan1

【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】

Hacks in Taiwan (HITCON)

ISACA -Threat Hunting using Native Windows tools .pdf

Gurvinder Singh, CISSP, CISA, ITIL v3

Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...

Adam Pennington

Reducing Your Attack Surface

Alert Logic

"Evolving Cybersecurity Strategies" - Identity is the new security boundary

Dean Iacovelli

Eximbank security presentation

laonap166

Despite billions spent on enterprise cyber security, breaches from advanced attacks, costing millions, are occurring on a daily basis. Our Solution: Complete Near Real-time Network Security Visibility and Awareness: If security analysts could see everything occurring on their network in real-time, breaches would occur but there would never be catastrophic damage – breach reaction would be almost instantaneous. Novetta Cyber Analytics is a linchpin enterprise security solution that enables security analysts, for the first time, to see a complete, near real-time, uncorrupted picture of their entire network. Security analysts then ask and receive answers to subtle questions – at the speed of thought – to enable detection, triage and response to breaches as they occur. The Benefits: Increase events-responded-to an estimated 30X over. Substantially reduce or eliminate damage from breaches. Create a dramatically more effective and efficient security team. Maximize current security infrastructure investment. Be far more confident that your network is actually secure. OUR DIFFERENTIATORS: Understands the truth of what is happening on your network. Detects advanced attacks that have breached perimeter defenses. Develops a complete, near real-time understanding of suspicious behaviour. Develops a battleground understanding of your entire security situation. Augments current security solutions. Proven speed, scale and effectiveness on the largest, most attacked networks on earth.

Novetta Cyber Analytics

Novetta

Ähnlich wie BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp (20)

CSF18 - Incident Response in the Cloud - Yuri Diogenes

How to protect your corporate from advanced attacks

The hacker playbook: How to think and act like a cybercriminal to reduce risk...

Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014

Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...

Presentation data security solutions certified ibm business partner for ibm...

Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?

Gartner Security & Risk Management Summit 2018

Mitigating Malware Presentation Jkd 11 10 08 Aitp

Corporate Security Issues and countering them using Unified Threat Management...

Which Came First: The Phish or the Opportunity to Defend Against It

Cloud Security or: How I Learned to Stop Worrying & Love the Cloud

Week Topic Code Access vs Event Based.pptx

【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】

ISACA -Threat Hunting using Native Windows tools .pdf

Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...

Reducing Your Attack Surface

"Evolving Cybersecurity Strategies" - Identity is the new security boundary

Eximbank security presentation

Novetta Cyber Analytics

Mehr von BlueHat Security Conference

Santiago Pontiroli With more than 2.5 billion gamers from all over the world, it's no wonder that at least a fraction of them would bring into action additional tools to gain an unfair advantage over their opponents in the virtual world. This is one of the many reasons behind the existence and rapid growth of a multi-million dollar industry that thrives on selling cheats, hacks and modifications to desperate gamers seeking to gain the upper hand in their next match. Let's dissect these tools and understand how modern games and anti-cheating technologies can be easily bypassed, all while we get a glimpse of the dubious market and supporting crews that develop, sell, and maintain the commodities in this illegal economy. It's not unusual for cheats to be more expensive than the actual games they are trying to profit from, or for players to buy a single title over and over until they can avoid being banned by the protective measures implemented in the first place. Fortnite? Overwatch? League of Legends? If you've heard about these games but you don't know what an aim-bot, a wall-hack, or an ESP means, then you might finally understand why all those competitive matches you played have made you feel like a fish out of water. Join me in this presentation and learn the inside-out of an industry that has remained in the shadows for a very long time. I will be presenting real world cheats used by gamers worldwide that in some cases closely mimic techniques that would rival numerous advanced threat actors in the malware ecosystem. Game over? Maybe not….

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...

BlueHat Security Conference

BlueHat Seattle 2019 || Keynote

BlueHat Security Conference

Tony Chen Every game console since the first Atari was more or less designed to prevent the piracy of games and yet every single game console has been successfully modified to enable piracy. However, this trend has come to an end. Both the Xbox One and the PS4 have now been on the market for close to 6 years, without hackers being able to crack the system to enable piracy or cheating. This is the first time in history that game consoles have lasted this long without being cracked. In this talk, we will discuss how we achieved this for the Xbox One. We will first describe the Xbox security design goals and why it needs to guard against physical attacks, followed by descriptions of the hardware and software architecture to keep the Xbox secure. This includes details about the custom SoC we built with AMD and how we addressed the fact that all data read from flash, the hard drive, and even DRAM cannot be trusted. We will also discuss the corresponding software changes needed with the custom hardware to keep the system and the games secure against physical attacks.

BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story

BlueHat Security Conference

Jay Beale We will attack a real Kubernetes cluster called Bust-a-Kube, which was released in 2019 as a free learning tool. The demonstration will start by compromising a real application running in a Kubernetes pod's container, gaining low privileged remote code execution inside that container. Next, we will explore what that compromised container can see on the cluster, finding the boundaries of its privileges. We will move laterally from that container to attack microservices on the cluster, gaining remote code execution in other containers, with higher privilege. We'll find that one of those can interfere with a final highest-privilege container. That highest privilege container will permit us to abuse the Kubernetes API to compromise the entire cluster. This demonstration will involve graphic "flags," allowing attendees to repeat the attack afterward as a downloadable solitaire "capture the flag" game. We'll then discuss and perform a second demo to teach defenses, working backward to defeat necessary steps in the first demo's chain of attacks. We'll demonstrate using pod security policies to force an AppArmor profile onto any pod (container) being deployed. We'll show how volume whitelists can block an attack, then demonstrate an evasion that defeats this defense. We'll then weaken this attack with root capability limits and AppArmor. We'll demonstrate an attack path where a bad actor can use a low-privilege Kubernetes cluster compromise to abuse the cloud provider APIs. This, in turn, leads to compromising the Kubernetes cluster more fully. We'll discuss how to break this attack using a cloud metadata API security feature that's Kubernetes-specific. In the course of these demonstrations, we'll conduct the attacks both manually and with an open source attack tool called Peirates. Finally, we'll discuss defenses that we did not use, including seccomp syscall whitelists, read-only root filesystems, and freely-available service meshes.

BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense

BlueHat Security Conference

Nico Waisman Open source has won and is here to stay, but it comes with challenges. Open Source security is one of them that we face as an industry. We all consume it but what about its code quality, security practices, … Over the last 3 months, Github's Semmle Security Research Team has been triaging all open source CVEs and engaging on a subset of those performing variant analysis trying to uncover what it was missed. During this talk we will present some of these cases where we used QL to perform variant analysis, in addition to some others where we performed the full research (seed vulnerability and variant analysis) such as u-boot.

BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone

BlueHat Security Conference

Jordan Wiens & Peter LaFosse Modern binary analysis, whether for discovering vulnerabilities or analyzing malware needs automation to deal with the volume of code under inspection. And yet, while Intermediate Languages (ILs) have been used for decades in compiler design and implementation, too few reverse engineers have any experience with them even though many reverse engineering tools (Binary Ninja, Ghidra, IDA) are built on top of ILs. Given that, it's time to demystify this space and make it accessible beyond just computer scientists and researchers. There's many potentially unfamiliar concepts related to ILs: single-static assignment, value-set analysis, three argument form versus tree-based designs, and others. But what matters is how these ILs can help you build better binary analysis tools. This talk not only gives you an overview of existing ILs used in reverse engineering, but more importantly, shows you how your tooling can benefit from them. From cross-platform analysis (follow a botnet from an x86-64 desktop to a mobile arm, to an embedded MIPS), to leveraging existing data-flow capabilities that brings some of the benefits both dynamic and static analysis together, this talk will demonstrate several examples of plugins that leverage ILs to improve your ability to automatically reason over compiled code.

BlueHat Seattle 2019 || Modern Binary Analysis with ILs

BlueHat Security Conference

Elvis Collado This talk is about how an unauthenticated heap-based buffer overflow vulnerability was discovered and exploited within a router distributed by a market-leading ISP. Despite the targeted process utilizing mitigations such as DEP and ASLR, it still fell prey to known exploitation techniques. This talk will go over the thought process, failures, and road-blocks that were encountered and how they were overcame.

BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.

BlueHat Security Conference

Dirk-jan Mollema How does one research the cloud? With solutions such as Azure AD and Office 365, the underlying platform architecture and designs are not publicly documented or accessible in the same way as on-premise. This makes analyzing the security of the platform harder for external researchers. In this talk I will explain the journey and discoveries of a year of trying to understand Azure AD, including the vulnerabilities discovered in the process. This ranges from gathering information about Azure AD via undocumented APIs to installing invisible backdoors and escalating privileges via limited roles or via the link with on-premise. While some of these vulnerabilities have been resolved, several of these are unintended consequences of Azure AD's architecture and thus are important to consider when evaluating the security of your Azure AD environment. A basic understanding of Azure AD, Office 365 and its terminology is assumed for this talk.

BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD

BlueHat Security Conference

John-Luke Peck This presentation will review in hindsight and retrospect several recent incident response engagements performed over the last 12 months by a 3rd-party (non-Microsoft affiliated) security and incident response services provider. During the talk the presenter will review what went well and what did not go well during the various engagements, with a particular focus on the data, services , and support available from Microsoft & Office365/AzureAD, and how they were and were not able to be leveraged during the various engagements. This will include a focus on areas where: * Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable collection of the data * The data & services available were successfully used during response efforts The presentation will highlight: * Lessons learned about Office365/AzureAD and Incident Response * How Office365, AzureAD, and ATP services and data were used in the response efforts * Recommendations for Office365/AzureAD tenants to improve their security & IR capabilities /before/ an incident occurs All presented examples and incidents will be de-identified to maintain and protect privacy and operational security. What this is NOT: * A service provider's sales presentation

BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations

BlueHat Security Conference

Li Chen & Ravi Sahita In this talk, we juxtapose the resiliency and trustworthiness of composition of DL and classical ML algorithms for security, via a case study of evaluating the resiliency of ransomware detection via the generative adversarial network (GAN). We propose to use GAN to automatically produce dynamic features that exhibit generalized malicious behaviors that can reduce the efficacy of black-box ransomware classifiers. We examine the quality of the GAN-generated samples by comparing the statistical similarity of these samples to real ransomware and benign software. Further we investigate the latent subspace where the GAN-generated samples lie and explore reasons why such samples cause a certain class of ransomware classifiers to degrade in performance. The automatically generated adversarial samples can then be fed into the training set to reduce the blind spots of the detectors. There has been a surge of interest in using machine learning (ML) particularly deep learning (DL) to automatically detect malware through their dynamic behaviors. These approaches have achieved significant improvement in detection rates and lower false positive rates at large scale compared with traditional malware analysis methods. ML in threat detection has demonstrated to be a good cop to guard platform security. However it is imperative to evaluate - is ML-powered security resilient enough? To generate reliable traces of system activity, we can utilize CPU-based telemetry such as Intel Processor Trace which can be extracted via a hypervisor without guest instrumentation. We advocate that file I/O events extracted from Intel processor trace together with algorithmic improvements have shown potential stronger defense in ML -based model deployment in the wild to combat ransomware attack. Our results and discoveries should pose relevant questions for defenders such as how ML models can be made more resilient for robust enforcement of security objectives.

BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...

BlueHat Security Conference

Chris Eng Why does it take so long to fix insecure code? We pair new data about the lifecycle of a vulnerability with learnings from application security programs to answer this perennial question. This analysis is not based on a survey – it's real data from real application scans. The data set contains 85,000 unique applications and 1.4 million individual assessments over a 12-month period, easily the largest application security data set of its size. Chris will describe the analysis process and some of the techniques, such as survival analysis, that were applied to the data set in order to measure and visualize outcomes. We'll focus specifically on identifying the factors that correlate most strongly (or not at all!) with fix rates. Finally, we'll provide data-backed insights on the contentious question of whether DevOps practices are a boon or a burden for security.

BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...

BlueHat Security Conference

Anamitra Dutta Majumdar & Anubhav Saini Increasing adoption of Machine Learning and Artificial Intelligence by data-driven organizations like LinkedIn is posing some important challenges related to data security and privacy. On the one hand, member data is an asset that unlocks unlimited business potential whereas, on the other hand, the consumption of the data must happen in a secure and privacy-preserving manner. This poses an interesting challenge for security and operations teams in the organization. In this presentation, we will walk through all the well-known use cases of machine learning at LinkedIn and also the phases of a machine learning pipeline. We will identify key security gaps and the corresponding security controls to address the gaps at each phase of any machine learning pipeline. The associated scalability and operational challenges for the application of security control will be explained. Controls in each phase would be put into the perspective of the Productive Machine Learning pipeline phases being built at LinkedIn There will be a section on how Blueshift will impact the application of security controls once compute and data have been decoupled. By the end of the talk, we would have described what a secure machine learning pipeline looks like and what are the key security patterns to be put in place to secure the pipeline.

BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...

BlueHat Security Conference

Jean-Ian Boutin, ESET Frédéric Vachon, ESET BIOS rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise a system at this level. Our talk will reveal such a campaign successfully executed by STRONTIUM. Earlier this year, there was a public report stating that the infamous Sofacy/APT28/Sednit APT group successfully trojanized a userland LoJack agent and used it against their targets. LoJack, a controversial anti-theft software, was scrutinized by security researchers in the past because of its unusual persistence method: a module preinstalled in many computers' UEFI/BIOS software. Several security risks were found through the years in their product, but no large in-the-wild activity was ever detected until the discovery of the STRONTIUM group leveraging some of these vulnerabilities affecting the userland agent. However, through our research, we now know that they did not stop there: they also tried, and succeeded, in installing a custom UEFI module directly in the systems' SPI flash memory. In this talk, we will detail the full infection chain showing how STRONTIUM was able to install their custom UEFI module on key targets' computers. Additionally, we will provide an in-depth analysis of their UEFI module and the associated trojanized LoJack agent.

BlueHat v18 || First strontium uefi rootkit unveiled

BlueHat Security Conference

Anthony LAOU HINE TSUEI, Tencent, Keen Security Lab Peter Hlavaty, KeenLab, Tencent Fuzzing has become a cheap and fast process for any entity looking to test the robustness of a system. In this talk we will consider the Windows Subsystem for Linux, which is a brand new subsystem implemented in the Windows Kernel. It features a compatibility interface with most of the Linux Kernel’s APIs and File systems that allows Linux developers to run their code directly on Windows. Due to the complexity and the originality of this attack surface, Microsoft has thoroughly put it under Trinity’s stress testing. Our purpose will be to provide insights on how to improve upon previous attempts in order to discover new bugs and review the architecture of WSL for further research.

BlueHat v18 || WSL reloaded - Let's try to do better fuzzing

BlueHat Security Conference

Andrea Allievi, Microsoft Spectre and Meltdown CPU have been one of the biggest security problem of the year 2018. Mitigations have already been delivered to the customers by both CPU manufacturers and OS developers. While the mitigations for Spectre type 1 and Meltdown have been successfully delivered, the mitigation for Spectre type 2, Retpoline, has been deferred for various problems. This talk will describe the implementation details of Retpoline in Windows 10 (19H1) and all the problem that we faced while testing it. Designing Retpoline has requested the collaboration of different teams in Microsoft, especially between the Kernel and the Compiler team. This talk will explain how we overcame all the implementation issues and allow all the involved Windows Kernel components to work with Retpoline in a retro-compatible way. At the end we will analyze the performance issues and explain how the Kernel team has found a solution for them

BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows

BlueHat Security Conference

Luke Jennings, Countercept Attackers have been avoiding disk and staying memory resident for over a decade and this has traditionally proven an Achilles heels for security products and the teams that operate them. The boom in both EDR products and memory forensics toolkits in more recent years have helped defenders to fight back but attackers are already adapting their approaches. This talk will cover both classic and modern techniques for injecting code into legitimate processes on Microsoft Windows systems, as well as several techniques for detecting them. This will include both system tracing methods, good for proactive detection, as well as memory analysis techniques that have the added benefit of allow detection of pre-existing compromises in real-world incident response scenarios, with a brief case study example. As part of this, practical examples will be given showing how Microsoft’s ATP and Sysmon help in this area as well as other techniques. Finally, the future of this area will be considered, including how the .NET runtime already complicates detection techniques in this area and how this will likely become increasingly challenging as more attackers discover and exploit this. By the end of the talk, the audience should understand the importance of code injection in the context of memory-resident implants, the key techniques for performing it and detecting it and the challenges of achieving this in the real-world at enterprise scale.

BlueHat v18 || Memory resident implants - code injection is alive and well

BlueHat Security Conference

Zhuo Ma, Tencent USB is one of the most common interface supported on modern computer. Modern OSes offer tons of USB drivers to support frequently used USB device classes. For other 3rd party USB device, Microsoft provide automatic driver downloading and installation via Windows AutoUpdate Service. In this talk, we consider this as a novel attacking surface exposed by Windows. We are trying to assess the vulnerability in those USB drivers provided via Windows AutoUpdate Service, which can be automatic installed and run after device plugged in. Obviously, these drivers are all designed for real USB device, which have to talk to device during running. So, the biggest obstacle for assessing these drivers is we can not prepare real USB devices for all of these drivers. To overcome this, We developed a system to emulate these USB device, further, we are trying to fuzz these drivers against our emulated USB device. By using this system, we can fuzz device drivers without the real USB device. In further, we can also precisely fuzz every stage of driver loading. We can feed any custom data to the drivers to trigger vulnerabilities. Also, this system supports IO Control Code fuzz as well. And all in all, all of this progress can be done automatically. We tested about 6000 drivers, yielded hundreds of crash by fuzzing. IO Control Fuzz also gave a reasonable result. We are going to divide our talk into three parts: the first part is about how we get the list of automatic installed USB drivers, and how to analyze these drivers in automatic ways; the second part is about the fuzzing system we designed, including the architecture of system, ways to emulating devices, key points for designing; the last part will show some vulnerabilities we found by this system.

BlueHat v18 || Massive scale usb device driver fuzz without device

BlueHat Security Conference

Brian Gorenc, Trend Micro Much like their six-legged counterparts in nature, bugs in software have a lifecycle. They are discovered, they get exploited, they get reported, they get patched, and usually, they go away. At each stage of this lifecycle, information about the vulnerability equates to a monetary value, and, depending on how this information is disseminated, that monetary value can drastically change. Various marketplaces exist for security research, and the current gray and black markets can be as robust as their white market counterparts. Different agents within these markets influence research trends by shifting finances to or away from specific areas, resulting in more bugs discovered and reported in that area. Even if you don’t directly participate in this economy, it impacts you and the systems you defend. Bugs bought and sold in the marketplace often become security patches and sometimes get wrapped into exploit kits or malware. Administering the world’s largest vendor agnostic bug bounty program puts us in a unique position to examine the inner workings of these transactions. While firmly in the white market, our experience and relationships provide us with insight across the entire exploit landscape. Some of these factors might not be obvious to those outside of the marketplace until exposed through data leaks or compromise. These hidden factors can shift prices and send researchers – and thus exploits – in new directions. Like any open market, various factors can spur changes in supply and demand, and market actors can shape what types of research either becomes public – or finds its way into an exploit kit. This presentation covers the inner-workings of the exploit marketplace, the main players in various sectors, and the winding, often controversial lifespan of a security bug. We include real-world examples of how effectively run programs have disrupted nation-state exploit usage in the wild, and take a look at how existing and impending legislation could irrevocably affect the exploit marketplace – and maybe not for the better.

BlueHat v18 || Modern day entomology - examining the inner workings of the bu...

BlueHat Security Conference

Ross Bevington, Microsoft In ‘The Matrix’ sentient machines subdue the population by developing a highly sophisticated simulation. High interaction honeypots are a lot like The Matrix, designed to convince an attacker to execute an attack so we can monitor them. But these honeypots are flawed! Attackers are continually adapting in order to evade our defenses - meaning that it’s often not enough to just set up a honeypot and watch the results roll in. Is a new approach better? Did you know that 40% of IaaS VMs in Azure are Linux? For Microsoft to protect itself and its customers Linux is a priority. At MSTIC we’ve developed a new type of Linux honeypot that allows us to deceive and control the behavior of an attacker. We are using this to understand the person behind the attack, examining them as they examine us. Using these techniques, we are able to better track the person behind the threat, build better protections and ultimately protect more Linux users - whether they are using Azure or not. In this presentation I’ll show some of the successes of running a Matrix like environment, failures where a glitch was spotted as well as deception approaches that could be applied to other domains. Finally I’ll show how easy it is to leverage Azure’s big data capabilities to build and ultimately query all this data at scale as well as how you can immediately reap the benefits of this work by connecting your Linux box to Azure Security Center.

BlueHat v18 || The matrix has you - protecting linux using deception

BlueHat Security Conference

Olle Segerdahl, F-Secure Pasi Saarinen, F-Secure A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems[1]. Today, most seem to believe that these attacks are too impractical for real world use. Microsoft has played down the threat of memory remanence attacks against BitLocker using words such as "they are not possible using published techniques"[2]. We will show techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available laptops and tablets. These techniques allow bypassing of security controls such as password protected BIOS configuration, UEFI-based Secure Boot and the TCG Platform Reset Attack Mitigation by directly manipulating the firmware storage device (EFI SPI flash chip). [1] https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf [2] https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure

BlueHat v18 || An ice-cold boot to break bit locker

BlueHat Security Conference

Mehr von BlueHat Security Conference (20)

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...

BlueHat Seattle 2019 || Keynote

BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story

BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense

BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone

BlueHat Seattle 2019 || Modern Binary Analysis with ILs

BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.

BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD

BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations

BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...

BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...

BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...

BlueHat v18 || First strontium uefi rootkit unveiled

BlueHat v18 || WSL reloaded - Let's try to do better fuzzing

BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows

BlueHat v18 || Memory resident implants - code injection is alive and well

BlueHat v18 || Massive scale usb device driver fuzz without device

BlueHat v18 || Modern day entomology - examining the inner workings of the bu...

BlueHat v18 || The matrix has you - protecting linux using deception

BlueHat v18 || An ice-cold boot to break bit locker

Kürzlich hochgeladen

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Manulife - Insurer Transformation Award 2024

The Digital Insurer

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf

Apidays New York 2024 - The value of a flexible API Management solution for O...

Automating Google Workspace (GWS) & more with Apps Script

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Manulife - Insurer Transformation Award 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Powerful Google developer tools for immediate impact! (2023-24 C)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Axa Assurance Maroc - Insurer Innovation Award 2024

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Data Cloud, More than a CDP by Matt Robison

A Year of the Servo Reboot: Where Are We Now?

Artificial Intelligence Chap.5 : Uncertainty

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

MS Copilot expands with MS Graph connectors

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

2024: Domino Containers - The Next Step. News from the Domino Container commu...

BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp

3. Screenshots present in this session are either from the Production environments (with obfuscated contents) or from the Demo environments

4. Digital Crimes Unit (DCU) Microsoft Azure (C+AI Security) Microsoft Security Response Center (C+AI Security) Cyber Security Services Engineering Microsoft Threat Intelligence Center (MSTIC) Office 365 Security Data & Intelligence (DI) Cyber Defense Operations Center (CDOC)

5. Consoles Host Network Big Data (Queries & Analytics) SIEM IDS++FW++

6. How does Windows Defender Advanced Threat Protection (WDATP) helps us? Windows Defender ATP (WDATP) works behind the scenes to better detect threats on the network and helps the SOC investigate and respond to data breaches.

8. Behavior- based, post- breach detection

10. Rich timeline for investigation

11.

12. Abnormal resource access Account enumeration Net Session enumeration DNS enumeration SAM-R Enumeration LDAP Enumeration (Roadmap) Brute force using NTLM, Kerberos, or LDAP Honey Token account suspicious activities Unusual protocolimplementation Malicious Data Protection Private Information (DPAPI) Request Suspicious VPN Connections Abnormal authentication requests Remote Execution Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Malicious service creation MS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC) Skeleton key malware Golden ticket non-existent account Remote execution Malicious replication requests Abnormal Modification of Sensitive Groups Suspicious domain controller promotion & replication (potential DCShadow attack)Compromised Credential ! Reconnaissance ! ! ! Lateral Movement Privilege Escalation Domain Dominance Azure ATP (AATP) detects a WIDE RANGE of Suspicious Activities on the AD & UEBA Monitoring perspectives Covers various Active Directory and User accounts related attacks across the Kill-Chain phases

13.

14.

15.

16.

17.

18. sensitive

19.        • • • • • • • •

20.

21. Horizontal Bruteforce: • a small set of passwords across many users Vertical Bruteforce: • a large set of passwords on just a few users

22. Not secure

23. LDAP_Simple_bind

24. COMPLEX

25. NO Realtime detection

26. A real attack by an adversary A service / application that leverages LDAP Simple Binds rather LDAPS

27.

28.

29.

30.

31.

32.

33.

34.

35.

36.

37.

38.

39. Changed passwords of the compromised users Checked WDATP events in the victim machines to identify any suspicious process executions later the attack Asked them to use Strong Passwords to prevent Bruteforce attacks Checked any suspicious login for the user accounts using MCAS to identify any possible compromise / access of Exchange Online / SharePoint Online Data

40.

41.

42.

43.

44. Attacker was contacted to identify the necessary reasons for the attack This was done for experimental purposes by the attacker – as a Script kiddie Attacker was educated NOT to use any malicious activities using Tools or Scripts from the Microsoft CORP domain joined machines

45.

46.

47.

48. LDAP Simple Bind Bruteforce attacks are simple, but are difficult to track Using AATP & WDATP, BF attack can be quickly detected Complex, Strong passwords help to prevent Bruteforce attacks

49.

50.

51.

52.

53.

54. Compromised Acc 1 2 Victim User 1 Victim User 2 Domain Admin DC ATTACKER BRUTE FORCE COMPROMISED ACCOUNT MOVE LATERALLY 1 2 Attack Workflow

55.

56.

57.

58.

59.

60.

61.

62.

63.

64.

65.

66.

67. In less than two hours of successfully achieving access to the permanent domain admin account, Attacker used its hash to replicate the directory to their machine: Desktop-xxxx …. a non domain joined box…… a rogue Domain Controller …

68.

69.

70.

71. Compromised account + Non DJ machine + Mimikatz can bring troubles to the AD AATP provides visibility to the attack targeting AD environment Rich time lines of WDATP helps to pinpoint anomalies of Domain joined machines

72.

73.

74.

75.

76. Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies SQL Encryption & Data Masking Office 365 Dynamics 365 +Monitor Data Loss Protection Data Governance eDiscovery

BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp

Ähnlich wie BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp (20)

Mehr von BlueHat Security Conference

Mehr von BlueHat Security Conference (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp