Tasks to be completed in the first 15-30 minutes.
Each of our teammates had a paper copy of this. This sheet was a single-sided, single-page worksheet with large font. Don't expect to be able to plan for the entire event before you show up.
+0 minute checklist:
- Change Passwords (check local accounts: passwd, net user. Active Directory Users and Computers to change AD passwords.)
- System Update (prioritize security updates)
- nmap/netstat (check open ports)
- What should be running on your machine? Ports?
- Check for suspicious processes (process explorer, htop)
- Virus Scanners (Microsoft Security Essentials, Malware Bytes)
- Windows Firewall (If you block RDP I will be VERY unhappy)
- visudo (Remove nopasswd, check for suspicious entries)
- .ssh/authorized_keys (If there's anything here, talk to arthurdent)
- Auditd logging
- Add this line for each directory you want to log (changing /var/www): "-w /var/www -p wa"
- Find Setuid binaries
- # find / -perm -user root -perm -4000 -print
- iptables (with help of mike_pizza, loocorez, or arthurdent)
- nmap external IP, ALL ports
- nmap -p- IP_ADDRESS
- meterpreter scan for vulns
Day 2: Recovery
We got owned hard at the very last 45 minutes of day one, so the beginning of day 2 was spent recovering and hardening services. This is the plan we came up with the night before the second day. We had ONE Win7 machine that didn't appear to be owned. We used it to restore the entire Windows portion of our network.
Win 7 machines first, 2 at a time so we don't miss anything, then XP workstations, 2 at a time.
1. Shut down DC until workstations are hardened
2. Restore workstation from start-of-competition snapshot
3. Change Passwords Immediately
4. System Update
6. Repeat step 4 until you can't no more.
7. Update software, Remove crapware / vuln-software (adobe, etc.)
8. Virus Scanners (Microsoft Security Essentials, Malware Bytes) Run em.
9. Remove machine from domain. Domain accounts can no longer be used to compromise these machines.
10. Snapshot machine
1. Restore DC from start-of-competition snapshot.
2. Change Local DC Admin Password
3. Remove admin privs from ALL domain accounts
4. Change all domain account passwords to the same thing (ctrl+c, ctrl+v). Never use them again.
5. Updates, virus scanners, etc.
6. Snapshot machine
Other Windows Servers
At this point we began restoring the other windows server machines using the above methodology.