SlideShare uma empresa Scribd logo

Windows Advance Threats - BSides Amman 2019

Transferir como PPTX, PDF
A
Ammar Hasayen

Learn how to hack Windows machines and reveal the password of the domain admin by hacking into the memory and Windows Services. This is Level 400 content with a lot of demos and it covers many security technologies like machine learning, post-breach defensive and pre-preach defensive controls. I presented this session in the first BSides Security conference in Amman-Jordan and I am sharing the slides as requested by the audience. I am also going to post the full video on my Youtube Channel: http://youtube.com/ammarhasayen , so, don't forget to subscribe. I would like to hear your feedback on my session, so please connect with me on twitter @ammarhasayen and let me know what do you think. About me: http://ahasayen.com Blog: http://blog.ahasayen.com Social Media (Twiiter, LinkedIn, Instagram): @ammarhasayen Windows Advanced Threat and Defensive Technique

Tecnologia
1 de 40
Presented by: Ammar Hasayen | MS MVP CISSP | Cybersecurity http://ahasayen.com ADVANCED WINDOWS THREATS & DEFENSIVE TECHNIQUES BSides Amman - ASU Date: 20 April 2019 Available on SlideShare & YouTube @ammarhasaye n
About Me: http://ahasayen.com Blog: http://blog.ahasayen.com Social Media: @ammarhasayen CISSP | Microsoft MVP | Pluralsight Author | Book Author
IN THIS PRESENTATI ON Attacking Windows Services – Stopping the Antivirus service – Hacking service accounts running under domain admin account. Attacking Passwords – Hacking the built-in admin password – Pass-the-hash attack Cyber Kill Chain – Endpoint Detect & Response • Microsoft Defender ATP – Behavioral-based Detection • Azure ATP
ATTACKING WINDOWS SERVICES
DEMO Look at the antivirus service and see if we can stop it. Hack the antivirus service and stop it
DEMO Inspect a Windows service running under domain admin account Hack the password of the domain admin account
Windows Service Account best Practices Never use highly privileged accounts (domain admin) to run services in your environment. As a best practice, user Managed Service Accounts to run your Windows services. Mind the principle of Least Privilege. If the attacker gets privileged access to the machine, everything on that machine is compromised (even if you have Antivirus)
DEMO REFERENCES • SDDL for Device Objects https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/sddl-for-device-objects • SID Strings https://docs.microsoft.com/en-us/windows/desktop/secauthz/sid-strings • PsExec Tool (used to impersonate Local System Account in the demo) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec • Service Account Password Dumper: SPAD • Managed Service Accounts (MSA) https://blogs.technet.microsoft.com/askds/2009/09/10/managed-service-accounts- understanding-implementing-best-practices-and-troubleshooting/
ATTACKING PASSWORDS
DEMO Hacking password in memory Stealing the hash of the local admin Using Pass-the-hash to connect to another machine - Obtain CMD.EXE access - Access sensitive information
Lesson Learned Debug Privilege right should be monitored. Users should not be admin on their machine (least privilege) You should not have same local administrator password on machines. - Use Microsoft Local Administrator Password Solution (LAPS) Use separate machines for admins by implementing the Privilege Admin Workstation solution (PAW) Consider disabling the local Guest and Administrator accounts
DEMO REFERENCES • Microsoft Local Administrator Password Solution https://www.microsoft.com/en- us/download/details.aspx?id=46899 • Privileged Access Workstations https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged- access/privileged-access-workstations • PsExec Tool used to connect to the target machine https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
CYBER KILL CHAIN
Cyber Kill Chain Malware Deliver Install Command & Control Pre Breach Post Breach Lateral Movement Staging Exfiltration Forensics Advanced Threat Detection (Classification) Anomaly Detection Signature & Packet Filters Heuristics, Sandboxes & Stateful Filters Machine LearningMachine Learning
Endpoint Detect & Response  Installs on the endpoint (workstation or server).  Uses AI-based detection techniques (mainly using classification).  Using the power of the cloud.  Tries to identify zero-day attacks using machine learning.  Microsoft implement Microsoft Defender ATP.
Microsoft Defender ATP Windows Defender Endpoint Detection and Response Windows Defender Endpoint Protection Windows Defender Smart Screen Block malicious websites Block low reputation web downloads Monitors behaviors and terminates bad processes Block malicious programs and content After execution – Windows Defender Hexadite can reverse damage After execution – Windows Defender ATP monitors for post-breach signals Endpoint Protection Detection and Remediation
Advanced Real-Time Defense Client holds file and upload sample Sample is processed & checked against machine learning classifiers Cloud generates signature and sends to client Client blocks file and report back, protecting all customers 1 2 3 4 5 6
Machine Learning for Endpoint Protection Local ML models, behavior-based detection algorithms, generics and heuristics Metadata-based ML models Sample Analysis-based ML models Detonation-based ML Models Big Data Analysis Client Cloud Milliseconds Milliseconds Seconds Minutes Hours
DEMO Simulate an attack - Delivering malware to a machine - Document drops backdoor - Malware creates schedule task (auto- start) - Detect attack on Microsoft ATP - Explore response actions Exploring Microsoft Defender ATP portal
Anomaly Detection (Un Supervised)
Behavioral-based Detection  Happens Post Breach (Lateral Movement).  Identifies anomalies in the network.  Can be seen in IDS, IPS or other type of implementations.  Microsoft implements Azure Advanced Threat Protection (Azure ATP) formally known as ATA.
Azure ATP Security Expert Users Groups Machines Machine? Logon Hours? Sensitive? Peers? Resources?
Azure ATP Detecting Unusual Behaviour Azure ATP Machine? Logon Hours? Sensitive? Peers? Resources? Alice CFO Machine
Azure ATP Detecting Unusual Behavior Azure ATP Machine? Logon Hours? Sensitive? Peers? Resources? Alice Finance Files
Azure Advanced Threat Protection 1 2 4 53 Collect DC Logs, SIEM, Windows Events. L7 Deep Packet Inspection Analyze & Learn Self-learning and profiling technology, patented IP resolution, unlimited scale by Azure Alert & Investigate Intuitive attack timeline. Lateral movement graphs. Alert via email & scheduled reports. Detect Abnormal behavior & Suspicious activities Integrate Integrated with Windows Defender ATP to further dig deep into the device health.
DEMO REFERENCES • Cyber Kill Chain https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-101- july2017.pdf • Microsoft Defender ATP https://www.microsoft.com/en-us/windowsforbusiness/windows-atp • Azure Advanced Threat Protection (Azure ATP) https://blog.ahasayen.com/tag/azure-atp/
SUMMAR Y Windows service account best attacks and defensive techniques Attacking passwords in memory – Pass-the-hash – Same local admin password risk Cyber kill chain – Pre-breach endpoint detection • Microsoft Defender ATP – Post-breach detection • Azure ATP
REFERENCES • Introduction to Azure Advanced Threat Protection (Azure ATP) https://blog.ahasayen.com/tag/azure-atp/ • Secure Modern Workplace With Microsoft ATP https://blog.ahasayen.com/secure-modern-workplace-with-microsoft-365-advanced- threat-protection/ • My YouTube Video on Microsoft ATP https://youtu.be/3pVRmaxNPJs • Microsoft Cloud App Security https://blog.ahasayen.com/microsoft-cloud-app-security-casb/
YOU CAN ACCESS THE SLIDES FROM SlideShare @ammarhasayen
YOU CAN WATCH THIS PRESENTATION ON YOUTUBE http://YouTube.com/ammarhasayen
PLEASE SHARE YOUR FEEDBACK ON ONE OF MY SOCIAL CHANNELS @ammarhasayen
CHECK OUT MY BLOG http://blog.ahasayen.com
CONNECT ON SOCIAL MEDIA @ammarhasayen
SUBSCRIBE NOW http://Youtube.com/AmmarHasayen
CHECK OUT MYCOURSES IN PLURALSIGHT https://www.pluralsight.com/authors/ammar-hasayen
CREDIT I want to thank BSides Amman community in Jordan for having me as a speaker in the first version of this conference. Special thanks to Layla Al-Zoubi for recommending my name as a speaker. Big thanks to all the great audience who gave me amazing feedback and encourage me to share my slide and record a YouTube video for offline viewing. Thanks to all sponsors who make this event a professional conference in terms of facilities, media coverage and organization. I would encourage people to follow BSides Amman on social media (@BSidesAmman) and follow their Facebook page for future events to come. Note: Some demos are inspired from Paula J , CQURE.
PHOTO ALBUM Bsides Amman 2019 https://youtu.be/IRhLDqorVbw
PHOTO ALBUM Bsides Amman 2019 https://youtu.be/IRhLDqorVbw
COPYRIGHT STATEMENT I want to help you share knowledge and creativity, to build a more equitable, accessible, and innovative world, by unlocking the potential of the internet to drive new era of development, growth and productivity. This is why I provide you with my copyright license, to make it easy for you to share and use creative work on simple terms and conditions. This license lets you remix, tweak, and build upon my work non-commercially, as long as you credit me and license your new creations under the identical terms. https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode Attribution-NonCommercial-ShareAlike

Recomendados

Secure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionSecure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionAmmar Hasayen
 
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAVirtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAAmmar Hasayen
 
Modern Workplace Deep Dive infographic
Modern Workplace Deep Dive infographicModern Workplace Deep Dive infographic
Modern Workplace Deep Dive infographicAmmar Hasayen
 
Microsoft EMS Enterprise Mobility and Security Architecture Poster
Microsoft EMS Enterprise Mobility and Security Architecture PosterMicrosoft EMS Enterprise Mobility and Security Architecture Poster
Microsoft EMS Enterprise Mobility and Security Architecture PosterAmmar Hasayen
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationAmmar Hasayen
 
Microsoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionMicrosoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionDavid J Rosenthal
 
Securing Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsSecuring Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsChris Bortlik
 
Securely logging to Microsoft 365
Securely logging to Microsoft 365Securely logging to Microsoft 365
Securely logging to Microsoft 365Robert Crane
 

Recomendados

Secure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionSecure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionAmmar Hasayen
 
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAVirtual Data Center VDC - Azure Cloud Reference Architecture CRA
Virtual Data Center VDC - Azure Cloud Reference Architecture CRAAmmar Hasayen
 
Modern Workplace Deep Dive infographic
Modern Workplace Deep Dive infographicModern Workplace Deep Dive infographic
Modern Workplace Deep Dive infographicAmmar Hasayen
 
Microsoft EMS Enterprise Mobility and Security Architecture Poster
Microsoft EMS Enterprise Mobility and Security Architecture PosterMicrosoft EMS Enterprise Mobility and Security Architecture Poster
Microsoft EMS Enterprise Mobility and Security Architecture PosterAmmar Hasayen
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationAmmar Hasayen
 
Microsoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionMicrosoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionDavid J Rosenthal
 
Securing Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsSecuring Governing and Protecting Your Office 365 Investments
Securing Governing and Protecting Your Office 365 InvestmentsChris Bortlik
 
Securely logging to Microsoft 365
Securely logging to Microsoft 365Securely logging to Microsoft 365
Securely logging to Microsoft 365Robert Crane
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...Amazon Web Services
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASBAmmar Hasayen
 
Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Robert Crane
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRIdentity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRJürgen Ambrosi
 
T4 – Understanding aws security
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws securityAmazon Web Services
 
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...Supporting Remote Work While Securing, Governing, and Protecting Your Microso...
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...Chris Bortlik
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A ServiceOlav Tvedt
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
 
Mct summit 2021
Mct summit 2021Mct summit 2021
Mct summit 2021Kushantha Gunawardana
 
Working with MS Endpoint Manager
Working with MS Endpoint ManagerWorking with MS Endpoint Manager
Working with MS Endpoint ManagerGeorge Grammatikos
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021Matt Soseman
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberMoshe Ferber
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
 
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...Patrick Guimonet
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterAlert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AADAndrew Bettany
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 

Mais conteúdo relacionado

Mais procurados

AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...Amazon Web Services
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASBAmmar Hasayen
 
Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Robert Crane
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRIdentity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRJürgen Ambrosi
 
T4 – Understanding aws security
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws securityAmazon Web Services
 
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...Supporting Remote Work While Securing, Governing, and Protecting Your Microso...
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...Chris Bortlik
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A ServiceOlav Tvedt
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
 
Working with MS Endpoint Manager
Working with MS Endpoint ManagerWorking with MS Endpoint Manager
Working with MS Endpoint ManagerGeorge Grammatikos
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021Matt Soseman
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberMoshe Ferber
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
 
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...Patrick Guimonet
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterAlert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AADAndrew Bettany
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 

Mais procurados (20)

AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASB
 
Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365Thr30117 - Securely logging to Microsoft 365
Thr30117 - Securely logging to Microsoft 365
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRIdentity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
 
T4 – Understanding aws security
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws security
 
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...Supporting Remote Work While Securing, Governing, and Protecting Your Microso...
Supporting Remote Work While Securing, Governing, and Protecting Your Microso...
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
December 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know WebinarDecember 2019 Microsoft 365 Need to Know Webinar
December 2019 Microsoft 365 Need to Know Webinar
 
Mct summit 2021
Mct summit 2021Mct summit 2021
Mct summit 2021
 
Working with MS Endpoint Manager
Working with MS Endpoint ManagerWorking with MS Endpoint Manager
Working with MS Endpoint Manager
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
 
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 

Semelhante a Windows Advance Threats - BSides Amman 2019

Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009Paul Lemon
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs💻 Javier Garza
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?BeyondTrust
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profitMohammed Adam
 
Top 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxTop 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxHichamNiamane1
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Threat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopThreat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopAmazon Web Services
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101 Wade Malone
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
How to build observability into a serverless application
How to build observability into a serverless applicationHow to build observability into a serverless application
How to build observability into a serverless applicationYan Cui
 

Semelhante a Windows Advance Threats - BSides Amman 2019 (20)

Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profit
 
Top 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxTop 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptx
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
DEFINING A SPYWARE
DEFINING A SPYWAREDEFINING A SPYWARE
DEFINING A SPYWARE
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Threat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopThreat Detection and Remediation Workshop
Threat Detection and Remediation Workshop
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
How to build observability into a serverless application
How to build observability into a serverless applicationHow to build observability into a serverless application
How to build observability into a serverless application
 

Mais de Ammar Hasayen

UAE Microsoft MVPs - How To become Microsoft MVP
UAE Microsoft MVPs - How To become Microsoft MVPUAE Microsoft MVPs - How To become Microsoft MVP
UAE Microsoft MVPs - How To become Microsoft MVPAmmar Hasayen
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure BastionAmmar Hasayen
 
Microsoft 365 Certification - How to become Enterprise Administrator Expert
Microsoft 365 Certification - How to become Enterprise Administrator ExpertMicrosoft 365 Certification - How to become Enterprise Administrator Expert
Microsoft 365 Certification - How to become Enterprise Administrator ExpertAmmar Hasayen
 
The Emerge Of The Modern Workplace
The Emerge Of The Modern WorkplaceThe Emerge Of The Modern Workplace
The Emerge Of The Modern WorkplaceAmmar Hasayen
 
How to plan your Modern Workplace Project - SPS Denver October 2018
How to plan your Modern Workplace Project - SPS Denver October 2018How to plan your Modern Workplace Project - SPS Denver October 2018
How to plan your Modern Workplace Project - SPS Denver October 2018Ammar Hasayen
 
Office 365 periodic table - editable
Office 365 periodic table - editableOffice 365 periodic table - editable
Office 365 periodic table - editableAmmar Hasayen
 
Migrating your certification authority hashing algorithm from sha 1 to sha-2
Migrating your certification authority hashing algorithm from sha 1 to sha-2Migrating your certification authority hashing algorithm from sha 1 to sha-2
Migrating your certification authority hashing algorithm from sha 1 to sha-2Ammar Hasayen
 
Strict KDC Validation
Strict KDC ValidationStrict KDC Validation
Strict KDC ValidationAmmar Hasayen
 
Microsoft 365 Threat Management and security - EMS E5
Microsoft 365 Threat Management and security - EMS E5Microsoft 365 Threat Management and security - EMS E5
Microsoft 365 Threat Management and security - EMS E5Ammar Hasayen
 
Email edge security architecture EOP
Email edge security architecture EOPEmail edge security architecture EOP
Email edge security architecture EOPAmmar Hasayen
 
Era of disruption with Microsoft 365
Era of disruption with Microsoft 365Era of disruption with Microsoft 365
Era of disruption with Microsoft 365Ammar Hasayen
 
What is microsoft 365
What is microsoft 365What is microsoft 365
What is microsoft 365Ammar Hasayen
 
Exchange Online Protection EOP headers
Exchange Online Protection EOP headersExchange Online Protection EOP headers
Exchange Online Protection EOP headersAmmar Hasayen
 
Malware and malicious programs
Malware and malicious programsMalware and malicious programs
Malware and malicious programsAmmar Hasayen
 
The journey to the cloud from business perspective
The journey to the cloud from business perspectiveThe journey to the cloud from business perspective
The journey to the cloud from business perspectiveAmmar Hasayen
 
Exchange UM Voice Mail, OVA and Auto-Attendant
Exchange UM Voice Mail, OVA and Auto-AttendantExchange UM Voice Mail, OVA and Auto-Attendant
Exchange UM Voice Mail, OVA and Auto-AttendantAmmar Hasayen
 
Exchange UM architecture exchange UM dial plan
Exchange UM architecture exchange UM dial planExchange UM architecture exchange UM dial plan
Exchange UM architecture exchange UM dial planAmmar Hasayen
 
Azure Cloud Security
Azure Cloud SecurityAzure Cloud Security
Azure Cloud SecurityAmmar Hasayen
 
Introducing office 365
Introducing office 365Introducing office 365
Introducing office 365Ammar Hasayen
 
Install offline Root CA Server 2003
Install offline Root CA Server 2003Install offline Root CA Server 2003
Install offline Root CA Server 2003Ammar Hasayen
 

Mais de Ammar Hasayen (20)

UAE Microsoft MVPs - How To become Microsoft MVP
UAE Microsoft MVPs - How To become Microsoft MVPUAE Microsoft MVPs - How To become Microsoft MVP
UAE Microsoft MVPs - How To become Microsoft MVP
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure Bastion
 
Microsoft 365 Certification - How to become Enterprise Administrator Expert
Microsoft 365 Certification - How to become Enterprise Administrator ExpertMicrosoft 365 Certification - How to become Enterprise Administrator Expert
Microsoft 365 Certification - How to become Enterprise Administrator Expert
 
The Emerge Of The Modern Workplace
The Emerge Of The Modern WorkplaceThe Emerge Of The Modern Workplace
The Emerge Of The Modern Workplace
 
How to plan your Modern Workplace Project - SPS Denver October 2018
How to plan your Modern Workplace Project - SPS Denver October 2018How to plan your Modern Workplace Project - SPS Denver October 2018
How to plan your Modern Workplace Project - SPS Denver October 2018
 
Office 365 periodic table - editable
Office 365 periodic table - editableOffice 365 periodic table - editable
Office 365 periodic table - editable
 
Migrating your certification authority hashing algorithm from sha 1 to sha-2
Migrating your certification authority hashing algorithm from sha 1 to sha-2Migrating your certification authority hashing algorithm from sha 1 to sha-2
Migrating your certification authority hashing algorithm from sha 1 to sha-2
 
Strict KDC Validation
Strict KDC ValidationStrict KDC Validation
Strict KDC Validation
 
Microsoft 365 Threat Management and security - EMS E5
Microsoft 365 Threat Management and security - EMS E5Microsoft 365 Threat Management and security - EMS E5
Microsoft 365 Threat Management and security - EMS E5
 
Email edge security architecture EOP
Email edge security architecture EOPEmail edge security architecture EOP
Email edge security architecture EOP
 
Era of disruption with Microsoft 365
Era of disruption with Microsoft 365Era of disruption with Microsoft 365
Era of disruption with Microsoft 365
 
What is microsoft 365
What is microsoft 365What is microsoft 365
What is microsoft 365
 
Exchange Online Protection EOP headers
Exchange Online Protection EOP headersExchange Online Protection EOP headers
Exchange Online Protection EOP headers
 
Malware and malicious programs
Malware and malicious programsMalware and malicious programs
Malware and malicious programs
 
The journey to the cloud from business perspective
The journey to the cloud from business perspectiveThe journey to the cloud from business perspective
The journey to the cloud from business perspective
 
Exchange UM Voice Mail, OVA and Auto-Attendant
Exchange UM Voice Mail, OVA and Auto-AttendantExchange UM Voice Mail, OVA and Auto-Attendant
Exchange UM Voice Mail, OVA and Auto-Attendant
 
Exchange UM architecture exchange UM dial plan
Exchange UM architecture exchange UM dial planExchange UM architecture exchange UM dial plan
Exchange UM architecture exchange UM dial plan
 
Azure Cloud Security
Azure Cloud SecurityAzure Cloud Security
Azure Cloud Security
 
Introducing office 365
Introducing office 365Introducing office 365
Introducing office 365
 
Install offline Root CA Server 2003
Install offline Root CA Server 2003Install offline Root CA Server 2003
Install offline Root CA Server 2003
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Windows Advance Threats - BSides Amman 2019

  • 1.
  • 2. Presented by: Ammar Hasayen | MS MVP CISSP | Cybersecurity http://ahasayen.com ADVANCED WINDOWS THREATS & DEFENSIVE TECHNIQUES BSides Amman - ASU Date: 20 April 2019 Available on SlideShare & YouTube @ammarhasaye n
  • 3. About Me: http://ahasayen.com Blog: http://blog.ahasayen.com Social Media: @ammarhasayen CISSP | Microsoft MVP | Pluralsight Author | Book Author
  • 4. IN THIS PRESENTATI ON Attacking Windows Services – Stopping the Antivirus service – Hacking service accounts running under domain admin account. Attacking Passwords – Hacking the built-in admin password – Pass-the-hash attack Cyber Kill Chain – Endpoint Detect & Response • Microsoft Defender ATP – Behavioral-based Detection • Azure ATP
  • 6. DEMO Look at the antivirus service and see if we can stop it. Hack the antivirus service and stop it
  • 7. DEMO Inspect a Windows service running under domain admin account Hack the password of the domain admin account
  • 8. Windows Service Account best Practices Never use highly privileged accounts (domain admin) to run services in your environment. As a best practice, user Managed Service Accounts to run your Windows services. Mind the principle of Least Privilege. If the attacker gets privileged access to the machine, everything on that machine is compromised (even if you have Antivirus)
  • 9. DEMO REFERENCES • SDDL for Device Objects https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/sddl-for-device-objects • SID Strings https://docs.microsoft.com/en-us/windows/desktop/secauthz/sid-strings • PsExec Tool (used to impersonate Local System Account in the demo) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec • Service Account Password Dumper: SPAD • Managed Service Accounts (MSA) https://blogs.technet.microsoft.com/askds/2009/09/10/managed-service-accounts- understanding-implementing-best-practices-and-troubleshooting/
  • 11. DEMO Hacking password in memory Stealing the hash of the local admin Using Pass-the-hash to connect to another machine - Obtain CMD.EXE access - Access sensitive information
  • 12. Lesson Learned Debug Privilege right should be monitored. Users should not be admin on their machine (least privilege) You should not have same local administrator password on machines. - Use Microsoft Local Administrator Password Solution (LAPS) Use separate machines for admins by implementing the Privilege Admin Workstation solution (PAW) Consider disabling the local Guest and Administrator accounts
  • 13. DEMO REFERENCES • Microsoft Local Administrator Password Solution https://www.microsoft.com/en- us/download/details.aspx?id=46899 • Privileged Access Workstations https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged- access/privileged-access-workstations • PsExec Tool used to connect to the target machine https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
  • 15. Cyber Kill Chain Malware Deliver Install Command & Control Pre Breach Post Breach Lateral Movement Staging Exfiltration Forensics Advanced Threat Detection (Classification) Anomaly Detection Signature & Packet Filters Heuristics, Sandboxes & Stateful Filters Machine LearningMachine Learning
  • 16. Endpoint Detect & Response  Installs on the endpoint (workstation or server).  Uses AI-based detection techniques (mainly using classification).  Using the power of the cloud.  Tries to identify zero-day attacks using machine learning.  Microsoft implement Microsoft Defender ATP.
  • 17. Microsoft Defender ATP Windows Defender Endpoint Detection and Response Windows Defender Endpoint Protection Windows Defender Smart Screen Block malicious websites Block low reputation web downloads Monitors behaviors and terminates bad processes Block malicious programs and content After execution – Windows Defender Hexadite can reverse damage After execution – Windows Defender ATP monitors for post-breach signals Endpoint Protection Detection and Remediation
  • 18. Advanced Real-Time Defense Client holds file and upload sample Sample is processed & checked against machine learning classifiers Cloud generates signature and sends to client Client blocks file and report back, protecting all customers 1 2 3 4 5 6
  • 19. Machine Learning for Endpoint Protection Local ML models, behavior-based detection algorithms, generics and heuristics Metadata-based ML models Sample Analysis-based ML models Detonation-based ML Models Big Data Analysis Client Cloud Milliseconds Milliseconds Seconds Minutes Hours
  • 20. DEMO Simulate an attack - Delivering malware to a machine - Document drops backdoor - Malware creates schedule task (auto- start) - Detect attack on Microsoft ATP - Explore response actions Exploring Microsoft Defender ATP portal
  • 21. Anomaly Detection (Un Supervised)
  • 22. Behavioral-based Detection  Happens Post Breach (Lateral Movement).  Identifies anomalies in the network.  Can be seen in IDS, IPS or other type of implementations.  Microsoft implements Azure Advanced Threat Protection (Azure ATP) formally known as ATA.
  • 24. Azure ATP Detecting Unusual Behaviour Azure ATP Machine? Logon Hours? Sensitive? Peers? Resources? Alice CFO Machine
  • 25. Azure ATP Detecting Unusual Behavior Azure ATP Machine? Logon Hours? Sensitive? Peers? Resources? Alice Finance Files
  • 26. Azure Advanced Threat Protection 1 2 4 53 Collect DC Logs, SIEM, Windows Events. L7 Deep Packet Inspection Analyze & Learn Self-learning and profiling technology, patented IP resolution, unlimited scale by Azure Alert & Investigate Intuitive attack timeline. Lateral movement graphs. Alert via email & scheduled reports. Detect Abnormal behavior & Suspicious activities Integrate Integrated with Windows Defender ATP to further dig deep into the device health.
  • 27. DEMO REFERENCES • Cyber Kill Chain https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-101- july2017.pdf • Microsoft Defender ATP https://www.microsoft.com/en-us/windowsforbusiness/windows-atp • Azure Advanced Threat Protection (Azure ATP) https://blog.ahasayen.com/tag/azure-atp/
  • 28. SUMMAR Y Windows service account best attacks and defensive techniques Attacking passwords in memory – Pass-the-hash – Same local admin password risk Cyber kill chain – Pre-breach endpoint detection • Microsoft Defender ATP – Post-breach detection • Azure ATP
  • 29. REFERENCES • Introduction to Azure Advanced Threat Protection (Azure ATP) https://blog.ahasayen.com/tag/azure-atp/ • Secure Modern Workplace With Microsoft ATP https://blog.ahasayen.com/secure-modern-workplace-with-microsoft-365-advanced- threat-protection/ • My YouTube Video on Microsoft ATP https://youtu.be/3pVRmaxNPJs • Microsoft Cloud App Security https://blog.ahasayen.com/microsoft-cloud-app-security-casb/
  • 30. YOU CAN ACCESS THE SLIDES FROM SlideShare @ammarhasayen
  • 31. YOU CAN WATCH THIS PRESENTATION ON YOUTUBE http://YouTube.com/ammarhasayen
  • 32. PLEASE SHARE YOUR FEEDBACK ON ONE OF MY SOCIAL CHANNELS @ammarhasayen
  • 37. CREDIT I want to thank BSides Amman community in Jordan for having me as a speaker in the first version of this conference. Special thanks to Layla Al-Zoubi for recommending my name as a speaker. Big thanks to all the great audience who gave me amazing feedback and encourage me to share my slide and record a YouTube video for offline viewing. Thanks to all sponsors who make this event a professional conference in terms of facilities, media coverage and organization. I would encourage people to follow BSides Amman on social media (@BSidesAmman) and follow their Facebook page for future events to come. Note: Some demos are inspired from Paula J , CQURE.
  • 38. PHOTO ALBUM Bsides Amman 2019 https://youtu.be/IRhLDqorVbw
  • 39. PHOTO ALBUM Bsides Amman 2019 https://youtu.be/IRhLDqorVbw
  • 40. COPYRIGHT STATEMENT I want to help you share knowledge and creativity, to build a more equitable, accessible, and innovative world, by unlocking the potential of the internet to drive new era of development, growth and productivity. This is why I provide you with my copyright license, to make it easy for you to share and use creative work on simple terms and conditions. This license lets you remix, tweak, and build upon my work non-commercially, as long as you credit me and license your new creations under the identical terms. https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode Attribution-NonCommercial-ShareAlike

Notas do Editor

  1. Hi everyone, I was honored to be talking at the firs Bsides security conference in Jordan. Many people asked me to record my session and make it available online, so here we go Today we are going to talk about Advanced Windows threats and defensive techniques. There are many demos in this session, and we are going to have a deep dive technical content, so be prepared. The slides will be available on SlideShare and YouTube.
  2. So, my name is Ammar Hasayen, I am certified information systems security professional and a Microsoft MVP I author courses in Pluralsight about security topics and I recently authored a bout cloud migration where I cover the cloud reference architecture and cloud security. Mainly, I help organizations move to the cloud without compromising security, governance and compliance. I also speak in international conferences in the united states and Europe. Now, you can learn more about me at ahasayen.com, and you can also check my blog at blog.ahasayen.com.
  3. Today, we are going to do a lot of hacking. We will start by hacking a windows service by trying to stop the antivirus service that as we know cannot be stopped. I know that many organizations also are running services under the domain admin account, so we will hack the password of the domain admin account by hacking into a windows service. Next, when will try to hack the password of the built-in admin on a Windows machine, and then use pass the hash technique to get access to credit card data on a remote machine. Finally, we will talk about cyber kill chain and this is where things get interesting. We will talk about pre breach defenses that is how to detect attacks while they are happening, and then we will move to post breach detection using behavioral-based techniques. If this is something that you find interesting, keep watching.
  4. Now, let us start with attacking a Windows service and by that we will move to a demo.
  5. In this demo, we are going to look at the antivirus service. This is the first thing attackers will try to stop so that they can work freely on that box and download other payloads to evade detection. Now we all know that the antivirus service is hardened in a way that you cannot just stop it even if you are a local admin on the machine. But believe me when I say, there are other ways to do that. So let’s jump into our demo.
  6. Now that you know that any service in Windows can be stopped if you are an admin on the machine, let us do something else. The top security threat that every penetration tester finds in almost every organization, is when you have a Windows service running under a domain admin account or any other highly privileged account. This can be your backup service that needs access to all files so that it can be backed up, or even a SQL database running under an admin account. Now, what if the attacker hack into the box and can reveal the password of that service account running under the domain admin account. Yes, this can be done. In fact, you can reveal the password in clear text. Believe me when I say that the first thing attackers will do is search for service accounts running under a domain admin account, and once they find one, its game over. So let us dive into our demo and see how this works.
  7. I know that all this sounds scary, and by now, you should carefully consider what account is use to run your services. You should never use the domain admin account to run any windows service and there is no exception what so ever for doing this. Now, the best way to handle service accounts is to use Managed Service Accounts. They are available for you to use since Windows Server 2008 R2 and the password of such accounts are managed by your domain controller. There are also another variation of managed service accounts called Group Managed Service Accounts that allow you to use the same managed service account across multiple machines, think of an IIS pool account that is shared across many front end nodes. The next thing that you should consider is to give service accounts just enough privilege to carry on their purpose, nothing more and nothing less, and remember, once an attacker hacks into a machine, every account used on that box should be considered compromised including service accounts running on that box.
  8. Now, during the demo, I used many tools and talked about a lot of technologies, so make sure to check these links for more information.
  9. What about hacking passwords in Windows machines? Let jump into a demo and see what we can do to hack passwords.
  10. In this demo, we have a Windows machine that can be an end user machine or even a server with many admins logging there to do some administrative tasks. We are going then to view that protected portion of memory where password hashes are located and is protected by Windows. Then, we are going to reveal the hash of the local admin password and use that hash to perform pass the hash attack to obtain access to high valuable remote server and access sensitive information. So let us start our demo.
  11. What we can learn from that demo is that the debug privilege is a very risky privilege. You should use group policy to prevent anyone including administrators to have such right, unless you have specific needs on certain machines to give some developers for example such right. Also, users should not be admin on their machines. They should be running under a normal account and perhaps use another account with high privilege to carry on administrative tasks. As we saw in the demo, we used the hash of the local admin to connect to a remote machine because the local admin password is the same across all machines. You should always make sure to have different local admin password across your machines, and to do that, you can use a solution from Microsoft called the Local Administrator Password Solution of LAPS. Also, as a best practice, you should have your admins working with two machines, one machine to access email and browse the web, and a separate machine to perform highly privileged tasks. This way if a malware was delivered through the web or email, it cannot do much damage, because your admins are using a separate machine for admin tasks. Now one of the two machines can be a virtual machine and there is a great solution and guide from Microsoft to implement that. It is called the Privileged Admin Workstation, that I encourage you to look at. Finally, you can disable the local administrator and guest accounts on all machines just in case.
  12. Again, here are some good references for you to learn more about some of the tools and technologies we talked about.
  13. Now, let us shift geers and talk about a famous security topic which is the Cyber Kill chain
  14. A cyber kill chain reveals the phases of a cyber attack from early reconnaissance to the goal of data exfiltration. It can be used however by security professional to improve network defenses in each stage of the cyber kill chain Usually an attacker selects a target and do some researches to learn how learn about vulnerabilities. This is usually called the reconnaissance phase. Now the attacker is ready to move to the weaponization phase as he creates a malware trailed to one of the vulnerabilities discovered. Guess what’s the next step? Of course the attacker delivers the malware to the target via an email attachment, USB drives or any other possible way. No that the malware lives in the target machine and network; the malware start a privilege escalation on the local machine to elevate its right and installs an access point or backdoor and then connects to the command and control center so that an intruder can now have remote access. Most of the time, patient zero or the first machine being hacked is not interesting enough, it just happened that it is the weakest entry point to attack the network. So the attacker now starts discovering the machines and resources and move from one machine to another (this is called lateral movement) until he gets to the intended resource or credential. This can be the domain admin credentials or perhaps a database with high value information which is the data exfiltration phase. The objective can also be data corruption or data destruction. Now usually it takes long time usually until someone discovers that an attack happen, and forensics teams are involved trying to understand how the attack happened in the first place, what targets are compromised, and what was the damage. From security defensive point of view, we can think of two types of detection and prevention measures that maps to the pre breach and post breach phases of he cyber kill chain. In the pre breach phase, We have signatures and packet filters that are good in recognizing known threats and then injecting the results in the form of antivirus signatures or intrusion detection-based signature systems. With time attacks becomes more sophisticated and they start to adapt to evade detection using technologies like polymorphism, and with that, the defenses themselves start to evolve and we start seeing heuristics and behavioral rules being introduced into the security space including sandboxes where pieces of the content would be executed in a safe isolated environment and then monitored for signs of malicious behavior. But the problem with this approach is that it really based on having identified threats and then constructing these rules and behaviors that you would look for intruder to identify similar threat even if their signatures had changed. The next wave is machine learning, promise of being able to get a head of a threat, really moving and not being reliant on having to have found something before in order to be able to detect it for the first time and this is driven by the introduction of zero day malware that are coming out and the sophistication of the adversary was growing and therefore there was definitely a desire to get amore sophisticated defense. The promise is being able to build super intelligent machine that would be able to reason its way through the high volume and velocity of data that is prevalent in the cyber environment
  15. One way of using machine learning is at the endpoint level which usually involved classification or supervised machine learning models. the game is typically around classification most often being applied to particular piece of content in the network so this is things like (windows exe, pdf , word, or network streams) that can be labeled as being malicious and the whole supervised technique is really is really about starting with labeled data that feeds machine learning algorithms and they learn from those labels and learns from the properties of the file s or samples that go into that machine learning system and then it predicts if the file is clean or not. Now, Microsoft has a great solution at the endpoint level call Microsoft Defender Advanced Threat Protection that really can help here.
  16. Microsoft is changing their whole strategy when it comes to endpoint protection. Inf act, the name Windows defender is not just the antivirus we all used to know and perhaps choose not to trust. Windows Defender ATP is the new thing and it is a brand name, that consists of many products, all working together tightly, using the power of the cloud and all the signals from Microsoft threat intelligent, to deliver a comprehensive solution that can protect endpoint from zero day attacks and most sophisticated malware out there. As an example, Windows defender smart screen block low reputation web downloads and even malicious websites, while Windows Defender end point protection monitors all Windows processes and files, and then terminate or clean any infection found. The next innovation that comes with Windows defender ATP is the ability to automate the response part of the attack, which is possible through a recent acquisition to a company called Hexadite so that security admins don’t need to worry much about responding to threats as this is taken care of by this new automation capability.
  17. And the new way of defending against attacks is by utilizing the power of the cloud and the intelligent security graph in Microsoft. Microsoft intelligent security graph provides rich signals from vast security intelligence, machine learning and behavioral analytics that Microsoft allows you to consume and use to enhance your protection and detection speeds. So when Windows defender encounters a new file that it does not know if it is bad or good file, it sends a file query to the cloud. If the cloud knows about this file, it will provide a feedback to the endpoint, else it will ask for a sample. The client will holds the file and upload a sample to the cloud. The cloud services will process the sample and check against machine learning classifiers, trying to find out whether the file is good or not, and then if the file turned out to be holding a malicious code, it will generate a new signature to that file and sends it back to the client along with all other clients so that when they encounter this file, they know already to block it.
  18. And you might be asking, does this mean the client needs to consult the cloud and wait for an answer, and what if there is no internet connection at that time? Well, here is how things are designed. Each Windows defender client has local machine learning models, and behavior-based detection algorithms , so that it can use all that logic offline and without consulting the cloud. This operation take only milliseconds. The client can consult the cloud services by sending only metadata so that the cloud can use metadata based machine learning models to determine if the file is malicious or not. This only takes milliseconds. If the cloud requested a sample, then sample analysis based machine learning models are used in the cloud which might takes seconds. In certain scenarios, detonation based machine learning models can be invoked which might take minutes, and big data analysis can take up to hours. What this means is that the client will not wait for minutes and hours. If the file is infected and the cloud could not determine it is a bad file in seconds, the client will allow that file to run. In the background, the cloud will continue working and analyzing and might do detonation based ML models and big data analysis to get the truth about that file, so other clients can be notified and updated, although we list patient zero in the process
  19. Now the next wave of applying machine learning and AI in your security defensive strategy is by trying to detect attacks after they happen, that is , if your endpoint detection technique fails to stop an attack, how can you know there is an attack happening inside your network. This is where another form of machine learning is applied that relies on anomaly detection or unsupervised learning and this is simply the machine learns what's normal and when something is outside of that norm occurs. it does not lable it good or bad, but still it’s a great compliment to pull into a supervised approach to find somethings that perhaps a normal researcher wouldn’t find, or an antivirus product fails to detect.
  20. Anomaly detection usually happens after the attacker compromises a machine and he start moving inside your network perhaps to find more valuable assets. Now Microsoft answer to this area is by implementing the Azure advanced threat protection or Azure ATP which was formally known as Advanced threat analytics or ATA
  21. Let me try to help you visualize how anomaly detection can help you detect an attack after it happens. Suppose we have John, a new hire, who is a security expert and his job is to monitor your environment for attacks. The first thing John would do is to learn about the environment. He starts by learning about all the machines in the network, what operating systems they are running for example. And he would also learn about all users and groups in the network, especially, who is member of the highly privileged groups like the domain admin and schema admin groups Now that John knows about every machine, user and group in the environment, he will start learning about the behavior of users. For each user in the environment, John would create a behavioral profile. In this behavioral profile, john will analyze which machines each user is normally using, what are the logon hours for each user, which users are sensitive. For each user, John would also learn who are his peers and who that user works with, and finally what resources each user normally access.
  22. Now let us replace John with Azure ATP, which is an agent that you install in each and every domain controller in your environment. Suppose we have Alice who works in the HR department, and remember that Azure ATP knows everything about Alice, her working hours, the machine or machines she normally log on to, and what resources she usually access. Now, if the Azure ATP agent detect that Alice is logging from the CFO machine, the Azure ATP agent will immediately detect an anomaly and raise an alert to the security team because that might mean that an attacker compromises her machine, and use some techniques like pass-the hash to move to the CFO machine, which Alice normally won’t do.
  23. The same thing will happen if the Azure ATP detects that Alice is trying to access the finance share which is an anomaly as Azure ATP knows through its learning phase, that Alice normally does not access the finance share. Azure ATP is a great tool to have in your environment and it complement other security measures and controls that you already have, to early detect attacks happening inside your network.
  24. Azure ATP is a great tool to have in your environment and it complement other security measures and controls that you already have, to early detect attacks happening inside your network. Azure ATP agents start by collecting logs from your domain controllers and other sources. Then the analyze and learn phase kicks off, and this is where Azure ATP agents learn about the environment. The third phase is when a detection happen due to an anomaly, in which case you will get alerted and provided with a comprehensive dashboard to track what is happening. The final is integration, this is where your Azure ATP integrates with your Windows Defender ATP so that you can have identity based protection with Azure ATP and machine based protection with Windows ATP.
  25. I am going to leave you with some resources to learn more about Windows Defender ATP and Azure ATP so that you can consider implementing both in your environment to help you detect attacks while they are happening and after they happen.
  26. In this presentation, we talked about service accounts in Windows and how things can go wrong with service accounts. Please have a look no managed service accounts and remember not to run any service under the domain admin account. We also talked about pass the hash attacks and how it can be used by attackers to move inside your network after gaining access to the hash of your users passwords. Always make sure you don’t have the same local admin password across your machine and remember you can use Microsoft Local Admin Password Solution to automate this job We then talked about the cyber kill chain and how you can use machine learning defensive for the pre breach and post breach phases of the attack. Azure ATP and Windows Defender ATP can be used to help you detect attacks as they happen and after that.
  27. Finally, I will leave you with great resources I put tighter that I highly recommend you look at. You can find my blog series on how Azure ATP works and how to deploy it in your environment, and you can also look at my secure the modern workplace with different ATP products from Microsoft including a third ATP product called Office 365 ATP.
  28. I want to thank everyone who attended my session at Bsides Amman conference this year and all people who are watching this video righ now. Remember also that you can view my slides at SlideShare, and you can also follow me there to get access to all my previous and future presentations
  29. If you want to watch more videos about cloud and cybersecurity, you can always subscribe to my YouTube channel listed here.
  30. I would also appreciate if you give me your feedback and thoughts about this session, either by commenting at this video or sending me a message directly using one of my social media accounts. Thank you again, and wait for my next videos to come.