SlideShare a Scribd company logo

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac

Priyanka Aash
Priyanka Aash

During the past year IR teams and security researchers around the world witnessed a rise in the use of legitimate tools and common scripts in malware and APT attacks. This talk will explore the presenters’ research that focused on automating the analysis of PowerShell and Macro/VBA/VBS attacks by building a heuristic-based compiler engine that determines whether a script is malicious or not. (Source: RSA Conference USA 2017)

Technology
1 of 95
Download to read offline
SESSION ID:SESSION ID: #RSAC Rotem Salinas Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats HTA-R11 Senior Security Researcher RSA Security Rotem.Salinas@rsa.com @rotemsalinas Uri Fleyder-Kotler Advanced Threats Research Lab Manager RSA Security Uri.Fleyder@rsa.com @ufleyder
#RSAC Houston We Have a Problem 2 Agentless/non malware attacks is a rapidly growing threat Attackers are implementing stealthier methods to bypass defenses
#RSAC Research Goals 3 Goals Find a way to assess a script’s “maliciousness” automatically Do it without the potential harm of infection Make it fast! Narrow the problem space VBA Powershell Not focused on the code extraction The same concepts can apply to similar problems
#RSAC The “Imaginary Engine” 4 How can we develop such 1337 imaginary engine Problem solving in 3 basic steps Analyze Brainstorming Implementation
#RSAC The First Step – Malware Analyst Standpoint 5 Determine Execution Flow Deobfuscate Find Suspicious Activity Traditional Static Analysis Approach
#RSAC Perception Test – What Attackers Do? 6
#RSAC The First Step – Understanding The Attacker’s Mindset 7
#RSAC The First Step – Understanding The Attacker’s Mindset 8
#RSAC The First Step – The Attacker’s Main Objectives 9 Objectives Indicators Code execution Prerequisite, Spawning New Processes/Threads Persistency Disk operations, Registry operations Stealth OS manipulation Enumeration Registry operations, Enumeration Command & Control / Data Exfiltration Network operations Lateral Movement Network operations, Enumeration
#RSAC Case Study – Dridex Campaign 10 Peaked during 2015-2016 Used Macro in Office Documents to deploy Dridex variants Targeted many companies and financial entities around the world Delivered in a large scale Spam/Spear-Phishing campaigns
#RSAC Case Study – Dridex Campaign 11
#RSAC Case Study 1 – Dridex Campaign 12 Entrypoint – This is where the code starts its execution Non-Linear Code Execution - GoTo jumping to labels
#RSAC Case Study 1 – Dridex Campaign 13 COM Object Creation
#RSAC Case Study 1 – Dridex Campaign 14 URL De-Obfuscation + Http Request Creation
#RSAC Case Study 1 – Dridex Campaign 15 Sending GET request Initializing ADODB object to write file to disk
#RSAC Case Study 1 – Dridex Campaign 16 Writing Response Body Data to disk
#RSAC Case Study 1 – Dridex Campaign 17 Executing Downloaded File
#RSAC Case Study – Anunak/Carbanak 18 Financial APT Only 1 submission to VT Attributed to Anunak Cybergang Final payload VBS/Powershell PE Executable See Full Analysis in Appendix
#RSAC The Second Step – Brainstorming 19 Common approaches pros and cons Hooking — Use available source code or patch existing dll/exe — Inserting code that would sink certain expressions — Remove potentially harmful code Taint Analysis / Symbolic Execution — Implement an engine that would emulate the language interpreter — The engine should evaluate each line of code — Instead of invoking potentially harmful expressions it would sink them
#RSAC We Have a Winner! 20 Symbolic Execution Pros — Cannot harm the machine in any way (even if we missed something) — We know exactly how it works. NO Reverse Engineering! — Not limited to specific platform/OS Cons — Hard to Implement — Might lack some language functionality
#RSAC Symbolic Execution: Double Sweep Method 21 First sweep Global context — Global variables — Code Function declarations External DLL declarations
#RSAC Symbolic Execution: Double Sweep Method 22 Second sweep Function code - starts with Entrypoint Follows execution flow Executes stubs instead of built-in language functions Evaluates expressions — Math — String manipulation — Logical expressions (condition evaluation)
#RSAC Implementation Details 23 Python PyParsing Dave Beazley’s (Python guru) PLY – Python Lex Yacc — Lex – lexical analysis/tokenizer — Yacc (Yet Another Compiler Compiler) – Syntax Analyzer BNF – Backus Naur Form Where to start  RTFM
#RSAC Lexical Analyzer (Tokenizer) 24 Tokens Language keywords Immediate values — Strings — Integer/numeric values — Floating point values — Arrays/compound data-types Identifiers – variable names, function names, object names Operators – math, bitwise, logical, string manipulation * Diagram courtesy of David Beazley
#RSAC Syntax Analyzer (Parser) 25 Parses a language syntax according to the tokenized output from the lexer The language syntax/grammar is defined by multiple functions Each function represents a BNF expression and will pass the parsed/extracted values to the next function inline according to the BNF statement * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 26 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 27 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 28 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 29 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 30 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 31 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 32 * Diagram courtesy of David Beazley
#RSAC PLY Lex Example 33 * Diagram courtesy of David Beazley
#RSAC Tokenizer Demo 34
#RSAC PLY Yacc Example 35 * Diagram courtesy of David Beazley
#RSAC PLY Yacc Example 36 * Diagram courtesy of David Beazley
#RSAC PLY Yacc Example 37 * Diagram courtesy of David Beazley
#RSAC PLY Yacc Example 38 * Diagram courtesy of David Beazley
#RSAC PLY Yacc Example 39 * Diagram courtesy of David Beazley
#RSAC Engine Design Overview 40 Scoring Blacklist (score++) Whitelist (score--) A higher score -> more malicious If score >= threshold Then isMalicious = True;
#RSAC Obfuscation As Heuristics 41 Obfuscation can be a strong indicator for malicious behavior Examples Object returned from function call Object created from function call return value string
#RSAC Obfuscation As Heuristics – More Examples 42 More Examples Self modifying code (during runtime) Data read from controls embedded in the document is considered suspicious
#RSAC Demo The Engine 43
#RSAC The Age Old Question of FP vs. FN 44 False positives False negatives Decide what works best for you!
#RSAC Lessons Learned 45 Challenges Condition evaluation Recursion limit Lessons When in doubt bruteforce! Use the language specification guide as a guideline rather than implementing every language feature that exists
#RSAC Apply 46 DIY 1: Develop It Yourself DIY 2: Deploy In Your Organization Network Endpoint Use for your investigations
#RSAC Q&A Rotem Salinas Uri Fleyder-Kotler  Uri.Fleyder@rsa.com  @ufleyder  Rotem.Salinas@rsa.com  @rotemsalinas
#RSAC VBA Indicators of Suspicious Activity 48 File System Operations COM Objects: Scripting.FileSystemObject, ADODB.Stream Cmd – output redirect/copy/del/move Open builtin function Importing External DLLs - URLMON Network Operations COM Objects: Microsoft.XMLHTTP, WinHttp.WinHttpRequest OS Manipulation Importing External DLLs – KERNEL32 WMI Objects Registry Importing External DLLs – ADVAPI32
#RSAC VBA Indicators of Suspicious Activity 49 Enumeration WMI Objects Cmd – net share/net use/ipconfig/environment variables Obfuscation Self Modifying Code Eval CodeModule Obfuscation Beyond Reasonable Doubt 
#RSAC VBA Indicators of Suspicious Activity 50 COM Object Creation WMI Objects Creation Self Modifying Code Eval CodeModule Built-In Functions Importing External DLL Obfuscation Beyond Reasonable Doubt 
#RSAC VBA – COM Object Creation – Network Activity 51 Rule of thumb - If your Office Documents are communicating you are in serious trouble Network Activity - COM Objects Microsoft.XMLHTTP MSXML2.SERVERXMLHTTP.6.0 MSXML2.SERVERXMLHTTP MSXML2.XMLHTTP WinHttp.WinHttpRequest.5.1 WinHttp.WinHttpRequest InternetExplorer.Application
#RSAC VBA – COM Object Creation – Network Activity 52 Microsoft.XMLHTTP WinHttp.WinHttpRequest.5.1
#RSAC VBA – COM Object Creation – File System Activity 53 Scripting.FileSystemObject ADODB.Stream
#RSAC VBA – COM Object Creation – Command Execution 54 WScript.Shell Shell.Application
#RSAC VBA – COM Object Creation – Obfuscation 55 XStandard.Base64 MSXML2.DOMDocument.3.0 MSXML2.DOMDocument
#RSAC VBA – Built-In Functions 56 CreateObject – Create COM object by String Object Name GetObject – Create WMI/COM object Eval – Covered In Self-Modifying ExecuteGlobal – VBS specific CallByName – Calls a Function/Method by string name Shell – Executes a Command Environ – Evaluates Environment Variables Kill – Deletes a File Application.Run – Calls a Function by String Name
#RSAC VBA – WMI Object Creation 57 winmgmts:impersonationLevel=impersonate}!.rootcimv2 Examples . .
#RSAC VBA – Self-Modifying Code – Code Module 58 CodeModule – Allows modifications of the VBA code
#RSAC VBA – Self-Modifying Code – Eval 59 Eval - Evaluates an expression and executes it code ExecuteGlobal
#RSAC VBA – Open Built-In Function 60 Write to File with Open Built-In Function
#RSAC VBA – Importing External DLL 61 Win32 API Examples . .
#RSAC Appendix – Case Study 1 A - Dridex 62 Entrypoint – This is where the code starts its execution Non-Linear Code Execution - GoTo jumping to labels
#RSAC Appendix – Case Study 1 A - Dridex 63 COM Object Creation
#RSAC Appendix – Case Study 1 A - Dridex 64 URL De-Obfuscation + Http Request Creation
#RSAC Appendix – Case Study 1 A - Dridex 65 Sending GET request Initializing ADODB object to write file to disk
#RSAC Appendix – Case Study 1 A - Dridex 66 Writing Response Body Data to disk
#RSAC Appendix – Case Study 1 A - Dridex 67 Executing Downloaded File
#RSAC Appendix – Case Study 1 B - Dridex 68 Defining Globals Entrypoint
#RSAC Appendix – Case Study 1 B - Dridex 69 Create obfuscated COM object
#RSAC Appendix – Case Study 1 B - Dridex 70 Create more obfuscated COM objects
#RSAC Appendix – Case Study 1 B - Dridex 71 Deobfuscate URL and create GET request
#RSAC Appendix – Case Study 1 B - Dridex 72 Send GET request
#RSAC Appendix – Case Study 1 B - Dridex 73 Receive Response Body and write to File
#RSAC Appendix – Case Study 1 B - Dridex 74 Save To Disk Execution
#RSAC Appendix – Case Study 2 - Ananuk 75 Entrypoint De-obfuscate
#RSAC Appendix – Case Study 2 - Ananuk 76 Beacon and Deploy final Payload De-Obfuscate
#RSAC Appendix – Case Study 2 - Ananuk 77 Beacon Command & Control – Phase 1 Deobfuscate
#RSAC Appendix – Case Study 2 - Ananuk 78 Beacon Command & Control – Phase 2 Deobfuscate
#RSAC Appendix – Case Study 2 - Ananuk 79 Deploy Base64 Payload Write Base64 Decoded Payload to Temp Path Execute Payload
#RSAC Appendix – Case Study 2 - Ananuk 80 Analyzing Payload 1 Payload is an icon Used for credibility Attempts to gain persistency on the Victim’s machine both by using known Autorun registry paths and by creating A scheduled task using the schtasks command
#RSAC Appendix – Powershell Indicators of Suspicious Activity 81 .NET Objects .NET Reflection Add-Type New-Object WinAPI32 DLL Loading WMI Objects Invoke-WmiMethod Command Execution Invoke-Command COM Objects New-Object –Com
#RSAC Appendix – Powershell Obfuscation 82 Obfuscation Methods Base64 SecureString Custom Decoding Methods
#RSAC Powershell Techniques - .NET Reflection 83 Example 1 – LoadWithPartialName Example 2 - LoadName
#RSAC Powershell Techniques - Add-Type .NET code injection 84 Creation of a new type/class using .NET code Creating an instance of the class and invoking it’s Start method
#RSAC Powershell Techniques – New-Object 85 Creating an object instance In this example System.Net.WebClient instance is created in order to download a file
#RSAC Powershell Techniques - Invoke-WmiMethod 86 Using WMI for enumeration and system maniupulation In this case creating a key in the windows registry
#RSAC Powershell Techniques - DLL loading 87 Resolving Native Win32 API functions $module = “kernel32.dll” API Function to be resolved
#RSAC Powershell Techniques - New-Object -com 88 Similarly to the COM objects in VBA The same COM objects can be used in Powershell using this command
#RSAC Powershell Techniques Obfuscation 89 Obfuscation methods in Powershell Adding Ticks (Escapes special characters but ignored if used non- special characters) + Lowercase/Uppercase String Concatenation/Manipulation Get-Command + WildCards + Aliases Invoke-Expression
#RSAC Powershell Techniques Obfuscation - Base64 90 Base64 using .NET classes CertUtil By Executing the certutil tool as a command certutil -decode encodedInputFileName decodedOutputFileName
#RSAC Case Study 3 – Targeted Spear Phishing Campaign 91 Javascript outer script with obfuscated strings Base64 encoded payloads Each string in the list is reversed A list of string including commands and base64 Encoded payloads
#RSAC Case Study 3 – Targeted Spear Phishing Campaign 92 Deploys 3 Powershell scripts on the victims machine Payload 1 – .NET code injection using Add-Type Creation of a new type/class using .NET code Creating an instance of the class and invoking it’s Start method
#RSAC Case Study 3 – Targeted Spear Phishing Campaign 93 Payload 2 – .NET code injection using Add-Type like the 1st payload Imports multiple Win32 api functions using .NET
#RSAC Case Study 3 – Targeted Spear Phishing Campaign 94 Payload 3 – Downloads TOR Proxifier as scheduled task
#RSAC Case Study 4 – Powersploit + Invoke-Obfuscation 95 Open source project available on GitHub PowerSploit includes capabilities such as: Shellcode injection Reflective DLL injection WMI Code execution Mimikatz – NTLM/LM password dump Invoke-Obfuscation is a Powershell code obfuscation framework developed by Daniel Bohannon

Recommended

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompileryiwei yang
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Courseeightbit
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applicationseightbit
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 

Recommended

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompileryiwei yang
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Courseeightbit
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applicationseightbit
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
Enforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code GenerationEnforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code GenerationTim Burks
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsFelipe Prado
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Raffi Khatchadourian
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationKelwin Yang
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
A Modest Introduction To Swift
A Modest Introduction To SwiftA Modest Introduction To Swift
A Modest Introduction To SwiftJohn Anderson
 
Technical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot AnalysisTechnical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot AnalysisPositive Hack Days
 
Compiler for Zero-Knowledge Proof-of-Knowledge Protocols
Compiler for Zero-Knowledge Proof-of-Knowledge ProtocolsCompiler for Zero-Knowledge Proof-of-Knowledge Protocols
Compiler for Zero-Knowledge Proof-of-Knowledge ProtocolsThomas Briner
 
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Yue Chen
 
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...hackersuli
 
2. introduction to compiler
2. introduction to compiler2. introduction to compiler
2. introduction to compilerSaeed Parsa
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 

More Related Content

What's hot

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
Enforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code GenerationEnforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code GenerationTim Burks
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsFelipe Prado
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Raffi Khatchadourian
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationKelwin Yang
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
A Modest Introduction To Swift
A Modest Introduction To SwiftA Modest Introduction To Swift
A Modest Introduction To SwiftJohn Anderson
 
Technical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot AnalysisTechnical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot AnalysisPositive Hack Days
 
Compiler for Zero-Knowledge Proof-of-Knowledge Protocols
Compiler for Zero-Knowledge Proof-of-Knowledge ProtocolsCompiler for Zero-Knowledge Proof-of-Knowledge Protocols
Compiler for Zero-Knowledge Proof-of-Knowledge ProtocolsThomas Briner
 
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Yue Chen
 
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...hackersuli
 
2. introduction to compiler
2. introduction to compiler2. introduction to compiler
2. introduction to compilerSaeed Parsa
 

What's hot (20)

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in Perl
 
Enforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code GenerationEnforcing API Design Rules for High Quality Code Generation
Enforcing API Design Rules for High Quality Code Generation
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devices
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android Application
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
A Modest Introduction To Swift
A Modest Introduction To SwiftA Modest Introduction To Swift
A Modest Introduction To Swift
 
Technical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot AnalysisTechnical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot Analysis
 
Compiler for Zero-Knowledge Proof-of-Knowledge Protocols
Compiler for Zero-Knowledge Proof-of-Knowledge ProtocolsCompiler for Zero-Knowledge Proof-of-Knowledge Protocols
Compiler for Zero-Knowledge Proof-of-Knowledge Protocols
 
Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)Pinpointing Vulnerabilities (Ravel)
Pinpointing Vulnerabilities (Ravel)
 
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...
 
2. introduction to compiler
2. introduction to compiler2. introduction to compiler
2. introduction to compiler
 

Similar to Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac

DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentPriyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Open Source in Security-Critical Environments
Open Source in Security-Critical EnvironmentsOpen Source in Security-Critical Environments
Open Source in Security-Critical EnvironmentsPriyanka Aash
 
Open source-in-security-critical-environments
Open source-in-security-critical-environmentsOpen source-in-security-critical-environments
Open source-in-security-critical-environmentsDESMOND YUEN
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwarePriyanka Aash
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?James Wickett
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 

Similar to Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac (20)

DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and Defense
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
 
Open Source in Security-Critical Environments
Open Source in Security-Critical EnvironmentsOpen Source in Security-Critical Environments
Open Source in Security-Critical Environments
 
Open source-in-security-critical-environments
Open source-in-security-critical-environmentsOpen source-in-security-critical-environments
Open source-in-security-critical-environments
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
 
The Pivot
The PivotThe Pivot
The Pivot
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac

  • 1. SESSION ID:SESSION ID: #RSAC Rotem Salinas Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats HTA-R11 Senior Security Researcher RSA Security Rotem.Salinas@rsa.com @rotemsalinas Uri Fleyder-Kotler Advanced Threats Research Lab Manager RSA Security Uri.Fleyder@rsa.com @ufleyder
  • 2. #RSAC Houston We Have a Problem 2 Agentless/non malware attacks is a rapidly growing threat Attackers are implementing stealthier methods to bypass defenses
  • 3. #RSAC Research Goals 3 Goals Find a way to assess a script’s “maliciousness” automatically Do it without the potential harm of infection Make it fast! Narrow the problem space VBA Powershell Not focused on the code extraction The same concepts can apply to similar problems
  • 4. #RSAC The “Imaginary Engine” 4 How can we develop such 1337 imaginary engine Problem solving in 3 basic steps Analyze Brainstorming Implementation
  • 5. #RSAC The First Step – Malware Analyst Standpoint 5 Determine Execution Flow Deobfuscate Find Suspicious Activity Traditional Static Analysis Approach
  • 6. #RSAC Perception Test – What Attackers Do? 6
  • 7. #RSAC The First Step – Understanding The Attacker’s Mindset 7
  • 8. #RSAC The First Step – Understanding The Attacker’s Mindset 8
  • 9. #RSAC The First Step – The Attacker’s Main Objectives 9 Objectives Indicators Code execution Prerequisite, Spawning New Processes/Threads Persistency Disk operations, Registry operations Stealth OS manipulation Enumeration Registry operations, Enumeration Command & Control / Data Exfiltration Network operations Lateral Movement Network operations, Enumeration
  • 10. #RSAC Case Study – Dridex Campaign 10 Peaked during 2015-2016 Used Macro in Office Documents to deploy Dridex variants Targeted many companies and financial entities around the world Delivered in a large scale Spam/Spear-Phishing campaigns
  • 11. #RSAC Case Study – Dridex Campaign 11
  • 12. #RSAC Case Study 1 – Dridex Campaign 12 Entrypoint – This is where the code starts its execution Non-Linear Code Execution - GoTo jumping to labels
  • 13. #RSAC Case Study 1 – Dridex Campaign 13 COM Object Creation
  • 14. #RSAC Case Study 1 – Dridex Campaign 14 URL De-Obfuscation + Http Request Creation
  • 15. #RSAC Case Study 1 – Dridex Campaign 15 Sending GET request Initializing ADODB object to write file to disk
  • 16. #RSAC Case Study 1 – Dridex Campaign 16 Writing Response Body Data to disk
  • 17. #RSAC Case Study 1 – Dridex Campaign 17 Executing Downloaded File
  • 18. #RSAC Case Study – Anunak/Carbanak 18 Financial APT Only 1 submission to VT Attributed to Anunak Cybergang Final payload VBS/Powershell PE Executable See Full Analysis in Appendix
  • 19. #RSAC The Second Step – Brainstorming 19 Common approaches pros and cons Hooking — Use available source code or patch existing dll/exe — Inserting code that would sink certain expressions — Remove potentially harmful code Taint Analysis / Symbolic Execution — Implement an engine that would emulate the language interpreter — The engine should evaluate each line of code — Instead of invoking potentially harmful expressions it would sink them
  • 20. #RSAC We Have a Winner! 20 Symbolic Execution Pros — Cannot harm the machine in any way (even if we missed something) — We know exactly how it works. NO Reverse Engineering! — Not limited to specific platform/OS Cons — Hard to Implement — Might lack some language functionality
  • 21. #RSAC Symbolic Execution: Double Sweep Method 21 First sweep Global context — Global variables — Code Function declarations External DLL declarations
  • 22. #RSAC Symbolic Execution: Double Sweep Method 22 Second sweep Function code - starts with Entrypoint Follows execution flow Executes stubs instead of built-in language functions Evaluates expressions — Math — String manipulation — Logical expressions (condition evaluation)
  • 23. #RSAC Implementation Details 23 Python PyParsing Dave Beazley’s (Python guru) PLY – Python Lex Yacc — Lex – lexical analysis/tokenizer — Yacc (Yet Another Compiler Compiler) – Syntax Analyzer BNF – Backus Naur Form Where to start  RTFM
  • 24. #RSAC Lexical Analyzer (Tokenizer) 24 Tokens Language keywords Immediate values — Strings — Integer/numeric values — Floating point values — Arrays/compound data-types Identifiers – variable names, function names, object names Operators – math, bitwise, logical, string manipulation * Diagram courtesy of David Beazley
  • 25. #RSAC Syntax Analyzer (Parser) 25 Parses a language syntax according to the tokenized output from the lexer The language syntax/grammar is defined by multiple functions Each function represents a BNF expression and will pass the parsed/extracted values to the next function inline according to the BNF statement * Diagram courtesy of David Beazley
  • 26. #RSAC PLY Lex Example 26 * Diagram courtesy of David Beazley
  • 27. #RSAC PLY Lex Example 27 * Diagram courtesy of David Beazley
  • 28. #RSAC PLY Lex Example 28 * Diagram courtesy of David Beazley
  • 29. #RSAC PLY Lex Example 29 * Diagram courtesy of David Beazley
  • 30. #RSAC PLY Lex Example 30 * Diagram courtesy of David Beazley
  • 31. #RSAC PLY Lex Example 31 * Diagram courtesy of David Beazley
  • 32. #RSAC PLY Lex Example 32 * Diagram courtesy of David Beazley
  • 33. #RSAC PLY Lex Example 33 * Diagram courtesy of David Beazley
  • 35. #RSAC PLY Yacc Example 35 * Diagram courtesy of David Beazley
  • 36. #RSAC PLY Yacc Example 36 * Diagram courtesy of David Beazley
  • 37. #RSAC PLY Yacc Example 37 * Diagram courtesy of David Beazley
  • 38. #RSAC PLY Yacc Example 38 * Diagram courtesy of David Beazley
  • 39. #RSAC PLY Yacc Example 39 * Diagram courtesy of David Beazley
  • 40. #RSAC Engine Design Overview 40 Scoring Blacklist (score++) Whitelist (score--) A higher score -> more malicious If score >= threshold Then isMalicious = True;
  • 41. #RSAC Obfuscation As Heuristics 41 Obfuscation can be a strong indicator for malicious behavior Examples Object returned from function call Object created from function call return value string
  • 42. #RSAC Obfuscation As Heuristics – More Examples 42 More Examples Self modifying code (during runtime) Data read from controls embedded in the document is considered suspicious
  • 44. #RSAC The Age Old Question of FP vs. FN 44 False positives False negatives Decide what works best for you!
  • 45. #RSAC Lessons Learned 45 Challenges Condition evaluation Recursion limit Lessons When in doubt bruteforce! Use the language specification guide as a guideline rather than implementing every language feature that exists
  • 46. #RSAC Apply 46 DIY 1: Develop It Yourself DIY 2: Deploy In Your Organization Network Endpoint Use for your investigations
  • 47. #RSAC Q&A Rotem Salinas Uri Fleyder-Kotler  Uri.Fleyder@rsa.com  @ufleyder  Rotem.Salinas@rsa.com  @rotemsalinas
  • 48. #RSAC VBA Indicators of Suspicious Activity 48 File System Operations COM Objects: Scripting.FileSystemObject, ADODB.Stream Cmd – output redirect/copy/del/move Open builtin function Importing External DLLs - URLMON Network Operations COM Objects: Microsoft.XMLHTTP, WinHttp.WinHttpRequest OS Manipulation Importing External DLLs – KERNEL32 WMI Objects Registry Importing External DLLs – ADVAPI32
  • 49. #RSAC VBA Indicators of Suspicious Activity 49 Enumeration WMI Objects Cmd – net share/net use/ipconfig/environment variables Obfuscation Self Modifying Code Eval CodeModule Obfuscation Beyond Reasonable Doubt 
  • 50. #RSAC VBA Indicators of Suspicious Activity 50 COM Object Creation WMI Objects Creation Self Modifying Code Eval CodeModule Built-In Functions Importing External DLL Obfuscation Beyond Reasonable Doubt 
  • 51. #RSAC VBA – COM Object Creation – Network Activity 51 Rule of thumb - If your Office Documents are communicating you are in serious trouble Network Activity - COM Objects Microsoft.XMLHTTP MSXML2.SERVERXMLHTTP.6.0 MSXML2.SERVERXMLHTTP MSXML2.XMLHTTP WinHttp.WinHttpRequest.5.1 WinHttp.WinHttpRequest InternetExplorer.Application
  • 52. #RSAC VBA – COM Object Creation – Network Activity 52 Microsoft.XMLHTTP WinHttp.WinHttpRequest.5.1
  • 53. #RSAC VBA – COM Object Creation – File System Activity 53 Scripting.FileSystemObject ADODB.Stream
  • 54. #RSAC VBA – COM Object Creation – Command Execution 54 WScript.Shell Shell.Application
  • 55. #RSAC VBA – COM Object Creation – Obfuscation 55 XStandard.Base64 MSXML2.DOMDocument.3.0 MSXML2.DOMDocument
  • 56. #RSAC VBA – Built-In Functions 56 CreateObject – Create COM object by String Object Name GetObject – Create WMI/COM object Eval – Covered In Self-Modifying ExecuteGlobal – VBS specific CallByName – Calls a Function/Method by string name Shell – Executes a Command Environ – Evaluates Environment Variables Kill – Deletes a File Application.Run – Calls a Function by String Name
  • 57. #RSAC VBA – WMI Object Creation 57 winmgmts:impersonationLevel=impersonate}!.rootcimv2 Examples . .
  • 58. #RSAC VBA – Self-Modifying Code – Code Module 58 CodeModule – Allows modifications of the VBA code
  • 59. #RSAC VBA – Self-Modifying Code – Eval 59 Eval - Evaluates an expression and executes it code ExecuteGlobal
  • 60. #RSAC VBA – Open Built-In Function 60 Write to File with Open Built-In Function
  • 61. #RSAC VBA – Importing External DLL 61 Win32 API Examples . .
  • 62. #RSAC Appendix – Case Study 1 A - Dridex 62 Entrypoint – This is where the code starts its execution Non-Linear Code Execution - GoTo jumping to labels
  • 63. #RSAC Appendix – Case Study 1 A - Dridex 63 COM Object Creation
  • 64. #RSAC Appendix – Case Study 1 A - Dridex 64 URL De-Obfuscation + Http Request Creation
  • 65. #RSAC Appendix – Case Study 1 A - Dridex 65 Sending GET request Initializing ADODB object to write file to disk
  • 66. #RSAC Appendix – Case Study 1 A - Dridex 66 Writing Response Body Data to disk
  • 67. #RSAC Appendix – Case Study 1 A - Dridex 67 Executing Downloaded File
  • 68. #RSAC Appendix – Case Study 1 B - Dridex 68 Defining Globals Entrypoint
  • 69. #RSAC Appendix – Case Study 1 B - Dridex 69 Create obfuscated COM object
  • 70. #RSAC Appendix – Case Study 1 B - Dridex 70 Create more obfuscated COM objects
  • 71. #RSAC Appendix – Case Study 1 B - Dridex 71 Deobfuscate URL and create GET request
  • 72. #RSAC Appendix – Case Study 1 B - Dridex 72 Send GET request
  • 73. #RSAC Appendix – Case Study 1 B - Dridex 73 Receive Response Body and write to File
  • 74. #RSAC Appendix – Case Study 1 B - Dridex 74 Save To Disk Execution
  • 75. #RSAC Appendix – Case Study 2 - Ananuk 75 Entrypoint De-obfuscate
  • 76. #RSAC Appendix – Case Study 2 - Ananuk 76 Beacon and Deploy final Payload De-Obfuscate
  • 77. #RSAC Appendix – Case Study 2 - Ananuk 77 Beacon Command & Control – Phase 1 Deobfuscate
  • 78. #RSAC Appendix – Case Study 2 - Ananuk 78 Beacon Command & Control – Phase 2 Deobfuscate
  • 79. #RSAC Appendix – Case Study 2 - Ananuk 79 Deploy Base64 Payload Write Base64 Decoded Payload to Temp Path Execute Payload
  • 80. #RSAC Appendix – Case Study 2 - Ananuk 80 Analyzing Payload 1 Payload is an icon Used for credibility Attempts to gain persistency on the Victim’s machine both by using known Autorun registry paths and by creating A scheduled task using the schtasks command
  • 81. #RSAC Appendix – Powershell Indicators of Suspicious Activity 81 .NET Objects .NET Reflection Add-Type New-Object WinAPI32 DLL Loading WMI Objects Invoke-WmiMethod Command Execution Invoke-Command COM Objects New-Object –Com
  • 82. #RSAC Appendix – Powershell Obfuscation 82 Obfuscation Methods Base64 SecureString Custom Decoding Methods
  • 83. #RSAC Powershell Techniques - .NET Reflection 83 Example 1 – LoadWithPartialName Example 2 - LoadName
  • 84. #RSAC Powershell Techniques - Add-Type .NET code injection 84 Creation of a new type/class using .NET code Creating an instance of the class and invoking it’s Start method
  • 85. #RSAC Powershell Techniques – New-Object 85 Creating an object instance In this example System.Net.WebClient instance is created in order to download a file
  • 86. #RSAC Powershell Techniques - Invoke-WmiMethod 86 Using WMI for enumeration and system maniupulation In this case creating a key in the windows registry
  • 87. #RSAC Powershell Techniques - DLL loading 87 Resolving Native Win32 API functions $module = “kernel32.dll” API Function to be resolved
  • 88. #RSAC Powershell Techniques - New-Object -com 88 Similarly to the COM objects in VBA The same COM objects can be used in Powershell using this command
  • 89. #RSAC Powershell Techniques Obfuscation 89 Obfuscation methods in Powershell Adding Ticks (Escapes special characters but ignored if used non- special characters) + Lowercase/Uppercase String Concatenation/Manipulation Get-Command + WildCards + Aliases Invoke-Expression
  • 90. #RSAC Powershell Techniques Obfuscation - Base64 90 Base64 using .NET classes CertUtil By Executing the certutil tool as a command certutil -decode encodedInputFileName decodedOutputFileName
  • 91. #RSAC Case Study 3 – Targeted Spear Phishing Campaign 91 Javascript outer script with obfuscated strings Base64 encoded payloads Each string in the list is reversed A list of string including commands and base64 Encoded payloads
  • 92. #RSAC Case Study 3 – Targeted Spear Phishing Campaign 92 Deploys 3 Powershell scripts on the victims machine Payload 1 – .NET code injection using Add-Type Creation of a new type/class using .NET code Creating an instance of the class and invoking it’s Start method
  • 93. #RSAC Case Study 3 – Targeted Spear Phishing Campaign 93 Payload 2 – .NET code injection using Add-Type like the 1st payload Imports multiple Win32 api functions using .NET
  • 94. #RSAC Case Study 3 – Targeted Spear Phishing Campaign 94 Payload 3 – Downloads TOR Proxifier as scheduled task
  • 95. #RSAC Case Study 4 – Powersploit + Invoke-Obfuscation 95 Open source project available on GitHub PowerSploit includes capabilities such as: Shellcode injection Reflective DLL injection WMI Code execution Mimikatz – NTLM/LM password dump Invoke-Obfuscation is a Powershell code obfuscation framework developed by Daniel Bohannon