TechDays 2013 day 0: Defending your Microsoft Infrastructure from cyber threats

The following blog post is in draft version and will be updated when I have the time 🙂

Before TechDays 2013 The Hague started I visted the workshop from Marcus Murray and Hasain “The Wolf” Alshakarti. The goal of this workshop was to show the threats to your infrastructure and how you can defend it.  He showed tools like CoreImpact Pro

Starting with the threats an attacker has several steps he does to succeed in his attack.

  1. Reconnaissance to gain general availble information about the target
  2. Try to infect one computer
  3. Letteral movement to infect more systems to extend control
  4. Finish hacking and remove evidence of the attack

Try to protect you against step one is almost impossible. There is always information about your company on the internet. Which gains insight into the organistation. Like email adress of employee who you can target it with. Just like the hack of RSA where a employee opened an infected Excel sheet which was directly send to the employee.

This attack also showed you that it is hard to protect to a direct attack. Although the mail was set as spam. The user just opened it an came infected. Protecting against an direct attack with AV and Firewalls is just hard to accomplish. Another cool example to get control of a computer is the use of an FireWire cable. If you have physical acces of an computer that has en FireWire port and the computer is running. You can skip the logon window by just hitting enter. This attack works because with the use of the firewire cable and an hackers computer you can write the memory and change the logon function to except everything.

When an attacker is on one machine most often he want to extend his power. This can be done by a man-in-the-middle attack. Where, for example, the computer will become a web proxy server and try to listen to information. Another way is to hack the local SAM database and uses the hashes in a new session and be an admin. A good example is mimikatz

After controlling the system an hacker tries finish his attack. If he wanted to have information he will send this to another server and erase as much as his footprint. At this point almost everybody in the room was thinking to unplug the internet so they cannot be attacked anymore.


Of course this is not viable so there there are countermesures. The first and most important one is to view you clients as internet connected devices. They are not to be trusted an should not be able to directly communicate to backend servers. This include als administrator!! because if they have been counterfitted the hacker can take over everything.

For the FireWire issue it is simple to protect you. It will disable all FireWire accesoires but it will protect you against an local attack of a computer. For more information see KB 2516445.

  • SMB Signing to computers (FireWire)
  • Seperate Computer for admin account
  • Use of Virtule SmartCards
  • AMA (authentication Mechanism assurance) !!!!!! link

Good resources

  • Mandiant Report (link)
  • Mandiate Video (link)
  • Passing the Hash (link)