2014 checklist

From Hack Evergreen Wiki
Jump to: navigation, search

Arival Checklist

Tasks to be completed in the first 15-30 minutes.

Each of our teammates had a paper copy of this. This sheet was a single-sided, single-page worksheet with large font. Don't expect to be able to plan for the entire event before you show up.

+0 minute checklist:

All Machines:

  • Change Passwords (check local accounts: passwd, net user. Active Directory Users and Computers to change AD passwords.)
  • System Update (prioritize security updates)
  • nmap/netstat (check open ports)
  • What should be running on your machine? Ports?
  • Check for suspicious processes (process explorer, htop)

Windows Machines:

  • Virus Scanners (Microsoft Security Essentials, Malware Bytes)
  • Windows Firewall (If you block RDP I will be VERY unhappy)

Linux Machines:

Kali Machine:

Day 2: Recovery

We got owned hard at the very last 45 minutes of day one, so the beginning of day 2 was spent recovering and hardening services. This is the plan we came up with the night before the second day. We had ONE Win7 machine that didn't appear to be owned. We used it to restore the entire Windows portion of our network.

Win 7 machines first, 2 at a time so we don't miss anything, then XP workstations, 2 at a time.

Workstations

1. Shut down DC until workstations are hardened

2. Restore workstation from start-of-competition snapshot

3. Change Passwords Immediately

4. System Update

5. RESTART

6. Repeat step 4 until you can't no more.

7. Update software, Remove crapware / vuln-software (adobe, etc.)

8. Virus Scanners (Microsoft Security Essentials, Malware Bytes) Run em.

9. Remove machine from domain. Domain accounts can no longer be used to compromise these machines.

10. Snapshot machine

Domain Controller

1. Restore DC from start-of-competition snapshot.

2. Change Local DC Admin Password

3. Remove admin privs from ALL domain accounts

4. Change all domain account passwords to the same thing (ctrl+c, ctrl+v). Never use them again.

5. Updates, virus scanners, etc.

6. Snapshot machine

Other Windows Servers

At this point we began restoring the other windows server machines using the above methodology.