Grant Bugher with perimetergrid.com had a talk on the DEFCON101 track. “Obtaining and Detecting Domain Persistence”
As the slide above states, it is not about _how_ to hack a domain.
But assuming someone has – now what?
1st Process start command line logging and PowerShell logging enabled on all systems.
2nd SysMon(Sysinternals Monitoring Service) installed and configured on all systems
- allows logging of process creation with full command line for both current and parent processes
- records hash of process image files using SHA1, MD5, SHA256 or IMPHASH
- includes a process GUID in process create events to allow for correlation of events when Windows reuses process IDs.
- Include a session GUID in each events so as to allow correlation of events on same logon session
- logs loading of drivers or DLLs with signatures and hashes
- optional to log network connections which includes connection’s source process, IP address, port number, hostnames, and port names.
- Detects changes in file creation time to understand when a file was really created. (Malware typically modifies create time stamps to cover its tracks)
There is a lot more in the details of what we can do to detect the bad guys attacking our domain controllers or other machines.
The reason I really like this Defcon talk is that it is a focus on how to detect the attack on the network. Let’s not worry HOW it happened. Since stuff happens, and it is better to focus on detection.
Turning on the granular attack vectors on the system will allow you to have a possibility to detect an attack, or even a snoop or two.
Of course you have to have the resources to find these attacks, but it is at least possible with these tweaks (1 and 2 above) and:
Set Powershell to debugger on an important process – (and this process may have to be changed to find the ‘right’ attack vector)
Review event log tampering – if event log is modified system is compromised.
We must focus defense to things we can do and go from there.