SlideShare a Scribd company logo

DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht

Felipe Prado
Felipe Prado

DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht

Technology
1 of 87
Download to read offline
EDR Is Coming; Hide yo Sh!t @TTimzen @r00tkillah
Who are we? Michael “@r00tkillah” Leibowitz Topher Timzen (@TTimzen) NSA Playset C# Malware is <3 Principle Troublemaker Principal Vulnerability Enthusiast RED TEAM ! ! ! !
Agenda ● What is EDR and why do we care? ● UEFI security and variables overview ● Windows platform hijinks with demo ● Linux platform hijinks with demo ● What does this all mean? ● Mitigations and Recommendations ● Future work ● Conclusions
EDR
Enterprise Detection and Response (EDR) Defensive tooling that focuses on detecting, investigating and mitigating suspicious activities on hosts and endpoints. Provides Blue Team a hunt capability Alerts mapped to MITRE ATT&CK via a SIEM or EDR directly CrowdStrike and Carbon Black are big players in this space
MITRE ATT&CK - https://attack.mitre.org/ Knowledge base of adversary tactics and techniques based on real-world observation - Tactics, Techniques, Procedures (TTP)
Enterprise Detection and Response (EDR) Tuned for processes, commands and API Calls ● cmd.exe /c ● powershell.exe ● Registry modifications ● Scheduled Tasks All of these mapped to MITRE TTPs
The Other Risk Curve Time -> LikelihoodofDetection Initial shell popped Persistence phase starts
Result of EDR Analyst You
The Other Risk Curve (Modified) Time -> LikelihoodofDetection Initial shell popped Persistence phase starts
UEFI
Unified Extensible Firmware Interface (UEFI) Trusted Platforms UEFI, PI and TCG-based firmware (Zimmer, Dasari, & Brogan, 2009, p. 16)
But Why UEFI Firmware Variables? Hides payload from AV, and EDR, and requires memory forensics to investigate EDR platform getting your reader binary doesn’t mean anything Tons of places to hide there! ● Test0 E660597E-B94D-4209-9C80-1805B5D19B69 NV+BS+RT ● Test1 E660597E-B94D-4209-9C80-1805B5D19B69 NV+BS+RT
UEFI Firmware Variables Authenticated ● Secure boot nonsense (PK, KEK, db/dbx) ● Performs a certificate check when writing variable Unauthenticated ● No verification on write ● Majority of variables are unauthenticated
UEFI Firmware Variable Attributes UEFI specification defines variable attributes can be ● Non-volatile (NV) ● Boot services access (BS) ● Runtime access (RT) ● Hardware error record (HR) ● Count based authenticated write access ● Time based authenticated write access (AT)
Windows Platform
UEFI On Windows “Starting with Windows 10, version 1803, Universal Windows apps can use GetFirmwareEnvironmentVariable and SetFirmwareEnvironmentVariable (and their 'ex' variants) to access UEFI firmware variables” SE_SYSTEM_ENVIRONMENT_NAME privilege Is required to Read/Write Administration account with Universal Windows App “required” https://docs.microsoft.com/en-us/windows/desktop/sysinfo/access-uefi-firmware-variables-from-a-universal-windows-app
Read/Write UEFI Firmware Variable API
dwAttributes Value Meaning VARIABLE_ATTRIBUTE_NON_VOLATILE 0x00000001 The firmware environment variable is stored in non-volatile memory (e.g. NVRAM). VARIABLE_ATTRIBUTE_BOOTSERVICE_ACCE SS 0x00000002 The firmware environment variable can be accessed during boot service. VARIABLE_ATTRIBUTE_RUNTIME_ACCESS 0x00000004 The firmware environment variable can be accessed at runtime. Note: Variables with this attribute set, must also have VARIABLE_ATTRIBUTE_BOOTSERVICE_ACCE SS set.
C++ [&& or ||] C# C++ is a viable option and was the initial language used, however ● Too many API calls to Virtual* ○ Requires RWX memory to be present for execution ○ EDR and AV see these API calls ○ C# can do everything needed with Reflection ● More difficult to bypass WDAC ● C# Allows for easy use of Cobalt Strike + Powerpick ● Reference code available in repo for both
Steps for Writing UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv() 2. Get address of a pinned buffer in C# (payload) 3. Write to UEFI variable with SetFirmwareEnvironmentVariableEx()
Steps for Writing UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv()
Steps for Writing UEFI variable 2. Get address of a pinned buffer in C# (payload)
Steps for Writing UEFI variable 3. Write to UEFI variable with SetFirmwareEnvironmentVariableEx()
Steps for Executing UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv() 2. P/Invoke with Virtual(Alloc, Protect) to obtain RWX Memory 3. Obtain UEFI variable payload with GetFirmwareEnvironmentVariableEx()
Steps for Reading UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv()
Steps for Executing UEFI variable 2. P/Invoke with Virtual(Alloc, Protect) to obtain RWX Memory
C# and P/Invoke Virtual(Alloc, Protect) API Calls https://www.hybrid-analysis.com/sample/5aba178a512ae2c1c5afccf113c6dc0f80c 47fdeee294781483b8aa07002cf39/5c74860b028838095154dad0
C# and P/Invoke, No No
Steps for Executing UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv() 2. P/Invoke RWX Memory 3. Obtain UEFI variable payload with GetFirmwareEnvironmentVariableEx()
Steps for Executing UEFI variable to Evade EDR and AV 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv() 2. Reflectively obtain RWX JIT memory page to read UEFI variable into 3. Write UEFI variable payload to method ptr with GetFirmwareEnvironmentVariableEx() 4. Execute method
C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ Method Table contains address of JIT stub for a class’s methods. During JIT the Method Table is referenced Grab Method Ptr as RWX memory location and overwrite it!
C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ 2. Reflectively obtain RWX JIT memory page to read UEFI variable into A. Define a method to overwrite B. JIT the method C. Obtain ptr to method
C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ A. Define a method to overwrite
C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ B. JIT the method C. Obtain ptr to method
C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ 3. Write UEFI variable payload to method ptr with GetFirmwareEnvironmentVariableEx() 4. Execute method
Steps for Infection (Demo) 1. Obtain shell on target 2. Run WriteUEFICSharp 3. Set persistence for ReadUEFICSharp 4. Run ReadUEFICSharp
Windows Demo
Persistence? Exercise up to the reader WDAC Bypasses are a good means to persist with unsigned code Your payload is in a UEFI variable, GLHF Analyst!
What About Windows EDR Products? We saw no relevant information in EDR pertaining to the usage of UEFI variables Startup events are seen without rootkit, but no malicious activity reported ● AV is clean ● No Virtual* API Calls
Sinkhole your EDR https://gist.github.com/tophertimzen/235fbfdf6b2e3cdf255dccb763fdd805
WDAC Bypasses There has been a lot of research on bypassing WDAC and Windows Universal Apps - https://posts.specterops.io/arbitrary-unsigned-code-execution-v ector-in-microsoft-workflow-compiler-exe-3d9294bc5efb - https://bohops.com/2019/01/10/com-xsl-transformation-bypassi ng-microsoft-application-control-solutions-cve-2018-8492/ Singed Code is not a proper mitigation currently in Windows 10
Linux Platform
The Problem Space The Kernel Your Sample EDR
Envisioning The Solution The Kernel Your Payload EDR
Linux Boot Flow UEFI Signed by OEM
Linux Boot Flow UEFI shim Signed by MSFT Signed by OEM
Linux Boot Flow UEFI shim grub Signed by distro Signed by MSFT Signed by OEM
Linux Boot Flow UEFI shim grub linux Signed by distro Signed by MSFT Signed by OEM
Linux Boot Flow UEFI shim grub linux Signed by distro Signed by MSFT Signed by OEM Unsigned and generated on system ramdisk
Linux Boot Flow UEFI shim grub linux Signed by distro Signed by MSFT Signed by OEM Unsigned and generated on system ramdisk EDR
ptrace, Man! man (2) ptrace + PTRACE_SETREGS + PTRACE_PEEKTEXT, PTRACE_PEEKDATA + PTRACE_POKETEXT, PTRACE_POKEDATA - YAMA - SELinux/AppArmor/SMACK/TOMOYO/etc + Policy applied in userspace!!
Boot Flow, Continued 1 Ramdisk land
Boot Flow, Continued 1 1 exec Ramdisk land Rootfs land
Boot Flow, Continued 1 1 exec Ramdisk land Rootfs land EDRPolicy load
fanotify, man! man (7) fanotify DESCRIPTION The fanotify API provides notification and interception of filesystem events. Use cases include virus scanning and hierarchical storage management.
memfd_create, man! man (2) memfd_create DESCRIPTION memfd_create() creates an anonymous file and returns a file descriptor that refers to it. The file behaves like a regular file … … it lives in RAM and has a volatile backing storage.
PR_SET_TIMERSLACK Since Linux 4.6, the "current" timer slack value of any process can be examined and changed via the file /proc/[pid]/timerslack_ns. See proc(5).
CONFIG_EFI_VARS config EFI_VARS If you say Y here, you are able to get EFI (Extensible Firmware Interface) variable information via sysfs. You may read, write, create, and destroy EFI variables through this interface.
Surviving MS_MOVE 1. Poll on /proc/self/mounts 2. Sleep while initramfs finishes and init starts 3. Create a new mount namespace 4. Mount proc (it's not in initramfs) 5. Set mount namespace to init's namespace through setns 6. chroot(“/proc/1/root”) 7. chdir(“.”) 8. chroot(“/”)
Boot Flow, Modified 1 exec Ramdisk land fork UEFI
Boot Flow, Modified 1 exec Ramdisk land fork UEFI open
Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork UEFI
Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork UEFI
Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork STOP UEFI
Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork ptrace UEFI
Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax 0x7fa413d56bb5 <epoll_wait+85>: syscall => 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2
Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax => 0x7fa413d56bb5 <epoll_wait+85>: syscall 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x13f (memfd_create)
Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax => 0x7fa413d56bb5 <epoll_wait+85>: syscall 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x13f (memfd_create) .ELF............
Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax => 0x7fa413d56bb5 <epoll_wait+85>: syscall 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x9 (mmap) 0x90 0x90 0x90 0x90 0x90 .ELF............
Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax 0x7fa413d56bb5 <epoll_wait+85>: syscall 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x9 (mmap) => 0x90 0x90 0x90 0x90 0x90 .ELF............ ret2libc (dlopen)
Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax 0x7fa413d56bb5 <epoll_wait+85>: syscall => 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x9 (mmap) 0x90 0x90 0x90 0x90 0x90 .ELF............ ret
Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork CONT UEFI
Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork UEFI
Linux Demo 1. See noise in auditd of exploiting enterprise_tool 2. Install implant into UEFI and ramdisk 3. Reboot 4. Set timerslack marker 5. Exploit enterprise_tool 6. See no output in log 7. Show policy in place 8. Show variable
Linux Demo
What does this all mean?
Net Happiness Increase You Analyst
Mitigations and Recommendations
Mitigations and Recommendations Monitor and Audit UEFI variables across your organizations fleet EDR Should detect UEFI APIs ● It is not common for apps to Set/Get Firmware Variables ● NV+BS+RT Variables are suspicious if created after installation of platform
Mitigations and Recommendations EDR Tamper Resistance is not effective ● Sinkholing or killing the sensor usually does not give alerts ● Vendors need to work on securing their processes ○ Alert on sinkhole ○ Do not allow ptrace Stop assembling ramdisks on systems!
Closing and the Rest
Future Work Look into hiding inside of UEFI Configuration Storage Analyze more EDR products and how they handle UEFI variables Use these techniques in more Red Team engagements to increase defender efficacy Look at more platforms for their usage of UEFI variables ● More places to hide
Closing Have yourself a uefi.party and plunder away your loot! Sucker punch that pesky EDR! GitHub Repo at https://github.com/perturbed-platypus
References https://redcanary.com/blog/detecting-all-the-things-with-limited-data/ https://countercept.com/blog/av-bypass-techniques-through-an-edr-lens/ https://github.com/rrbranco/BlackHat2017/blob/master/BlackHat2017-BlackBIOS-v0.13-Published.pdf https://github.com/emptymonkey/ptrace_do https://github.com/eklitzke/ptrace-call-userspace https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
References for MITRE TTPs Tuned for processes, commands and API Calls ● cmd.exe /c ○ https://attack.mitre.org/techniques/T1059/ ● powershell.exe ○ https://attack.mitre.org/techniques/T1086/ ● Registry modifications ○ https://attack.mitre.org/techniques/T1112/ ● Scheduled Tasks ○ https://attack.mitre.org/techniques/T1053/
EOF

Recommended

Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
Brendan Gregg
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
MichaelM85042
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
Ryan G. Murphy
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 

Recommended

Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
Brendan Gregg
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
MichaelM85042
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
Ryan G. Murphy
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Chris Sistrunk
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Embedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust LinzEmbedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust Linz
Juraj Michálek
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
Brendan Gregg
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
n|u - The Open Security Community
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
Joel Lathrop
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 
Osquery
OsqueryOsquery
Osquery
Animesh Roy
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421
Linaro
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
Narudom Roongsiriwong, CISSP
 
GPU Virtualization in SUSE
GPU Virtualization in SUSEGPU Virtualization in SUSE
GPU Virtualization in SUSE
Liang Yan
 
Troubleshooting Apache® Ignite™
Troubleshooting Apache® Ignite™Troubleshooting Apache® Ignite™
Troubleshooting Apache® Ignite™
Tom Diederich
 
Ethical Hacking Workshop Presentation
Ethical Hacking Workshop PresentationEthical Hacking Workshop Presentation
Ethical Hacking Workshop Presentation
Deepak Handke
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
Tomasz Jakubowski
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
ESET
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 

More Related Content

What's hot

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421
Linaro
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 

What's hot (20)

Embedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust LinzEmbedded Rust on ESP2 - Rust Linz
Embedded Rust on ESP2 - Rust Linz
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
 
Osquery
OsqueryOsquery
Osquery
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
GPU Virtualization in SUSE
GPU Virtualization in SUSEGPU Virtualization in SUSE
GPU Virtualization in SUSE
 
Troubleshooting Apache® Ignite™
Troubleshooting Apache® Ignite™Troubleshooting Apache® Ignite™
Troubleshooting Apache® Ignite™
 
Ethical Hacking Workshop Presentation
Ethical Hacking Workshop PresentationEthical Hacking Workshop Presentation
Ethical Hacking Workshop Presentation
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 

Similar to DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht

Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Igor Korkin
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Giulio Vian
 
Virtual Pc Seminar
Virtual Pc SeminarVirtual Pc Seminar
Virtual Pc Seminar
guest5b5549
 

Similar to DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht (20)

Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Must Read HP Data Protector Interview Questions
Must Read HP Data Protector Interview QuestionsMust Read HP Data Protector Interview Questions
Must Read HP Data Protector Interview Questions
 
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
 
File000127
File000127File000127
File000127
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
 
Ch04 system administration
Ch04 system administration Ch04 system administration
Ch04 system administration
 
Ch04
Ch04Ch04
Ch04
 
Virtual Pc Seminar
Virtual Pc SeminarVirtual Pc Seminar
Virtual Pc Seminar
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 

More from Felipe Prado

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht

  • 1. EDR Is Coming; Hide yo Sh!t @TTimzen @r00tkillah
  • 2. Who are we? Michael “@r00tkillah” Leibowitz Topher Timzen (@TTimzen) NSA Playset C# Malware is <3 Principle Troublemaker Principal Vulnerability Enthusiast RED TEAM ! ! ! !
  • 3. Agenda ● What is EDR and why do we care? ● UEFI security and variables overview ● Windows platform hijinks with demo ● Linux platform hijinks with demo ● What does this all mean? ● Mitigations and Recommendations ● Future work ● Conclusions
  • 4. EDR
  • 5. Enterprise Detection and Response (EDR) Defensive tooling that focuses on detecting, investigating and mitigating suspicious activities on hosts and endpoints. Provides Blue Team a hunt capability Alerts mapped to MITRE ATT&CK via a SIEM or EDR directly CrowdStrike and Carbon Black are big players in this space
  • 6. MITRE ATT&CK - https://attack.mitre.org/ Knowledge base of adversary tactics and techniques based on real-world observation - Tactics, Techniques, Procedures (TTP)
  • 7. Enterprise Detection and Response (EDR) Tuned for processes, commands and API Calls ● cmd.exe /c ● powershell.exe ● Registry modifications ● Scheduled Tasks All of these mapped to MITRE TTPs
  • 8. The Other Risk Curve Time -> LikelihoodofDetection Initial shell popped Persistence phase starts
  • 10. The Other Risk Curve (Modified) Time -> LikelihoodofDetection Initial shell popped Persistence phase starts
  • 11. UEFI
  • 12. Unified Extensible Firmware Interface (UEFI) Trusted Platforms UEFI, PI and TCG-based firmware (Zimmer, Dasari, & Brogan, 2009, p. 16)
  • 13. But Why UEFI Firmware Variables? Hides payload from AV, and EDR, and requires memory forensics to investigate EDR platform getting your reader binary doesn’t mean anything Tons of places to hide there! ● Test0 E660597E-B94D-4209-9C80-1805B5D19B69 NV+BS+RT ● Test1 E660597E-B94D-4209-9C80-1805B5D19B69 NV+BS+RT
  • 14. UEFI Firmware Variables Authenticated ● Secure boot nonsense (PK, KEK, db/dbx) ● Performs a certificate check when writing variable Unauthenticated ● No verification on write ● Majority of variables are unauthenticated
  • 15. UEFI Firmware Variable Attributes UEFI specification defines variable attributes can be ● Non-volatile (NV) ● Boot services access (BS) ● Runtime access (RT) ● Hardware error record (HR) ● Count based authenticated write access ● Time based authenticated write access (AT)
  • 17. UEFI On Windows “Starting with Windows 10, version 1803, Universal Windows apps can use GetFirmwareEnvironmentVariable and SetFirmwareEnvironmentVariable (and their 'ex' variants) to access UEFI firmware variables” SE_SYSTEM_ENVIRONMENT_NAME privilege Is required to Read/Write Administration account with Universal Windows App “required” https://docs.microsoft.com/en-us/windows/desktop/sysinfo/access-uefi-firmware-variables-from-a-universal-windows-app
  • 18. Read/Write UEFI Firmware Variable API
  • 19. dwAttributes Value Meaning VARIABLE_ATTRIBUTE_NON_VOLATILE 0x00000001 The firmware environment variable is stored in non-volatile memory (e.g. NVRAM). VARIABLE_ATTRIBUTE_BOOTSERVICE_ACCE SS 0x00000002 The firmware environment variable can be accessed during boot service. VARIABLE_ATTRIBUTE_RUNTIME_ACCESS 0x00000004 The firmware environment variable can be accessed at runtime. Note: Variables with this attribute set, must also have VARIABLE_ATTRIBUTE_BOOTSERVICE_ACCE SS set.
  • 20. C++ [&& or ||] C# C++ is a viable option and was the initial language used, however ● Too many API calls to Virtual* ○ Requires RWX memory to be present for execution ○ EDR and AV see these API calls ○ C# can do everything needed with Reflection ● More difficult to bypass WDAC ● C# Allows for easy use of Cobalt Strike + Powerpick ● Reference code available in repo for both
  • 21. Steps for Writing UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv() 2. Get address of a pinned buffer in C# (payload) 3. Write to UEFI variable with SetFirmwareEnvironmentVariableEx()
  • 22. Steps for Writing UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv()
  • 23. Steps for Writing UEFI variable 2. Get address of a pinned buffer in C# (payload)
  • 24. Steps for Writing UEFI variable 3. Write to UEFI variable with SetFirmwareEnvironmentVariableEx()
  • 25. Steps for Executing UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv() 2. P/Invoke with Virtual(Alloc, Protect) to obtain RWX Memory 3. Obtain UEFI variable payload with GetFirmwareEnvironmentVariableEx()
  • 26. Steps for Reading UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv()
  • 27. Steps for Executing UEFI variable 2. P/Invoke with Virtual(Alloc, Protect) to obtain RWX Memory
  • 28. C# and P/Invoke Virtual(Alloc, Protect) API Calls https://www.hybrid-analysis.com/sample/5aba178a512ae2c1c5afccf113c6dc0f80c 47fdeee294781483b8aa07002cf39/5c74860b028838095154dad0
  • 30. Steps for Executing UEFI variable 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv() 2. P/Invoke RWX Memory 3. Obtain UEFI variable payload with GetFirmwareEnvironmentVariableEx()
  • 31. Steps for Executing UEFI variable to Evade EDR and AV 1. Obtain SE_SYSTEM_ENVIRONMENT_NAME with SetPriv() 2. Reflectively obtain RWX JIT memory page to read UEFI variable into 3. Write UEFI variable payload to method ptr with GetFirmwareEnvironmentVariableEx() 4. Execute method
  • 32. C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ Method Table contains address of JIT stub for a class’s methods. During JIT the Method Table is referenced Grab Method Ptr as RWX memory location and overwrite it!
  • 33. C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ 2. Reflectively obtain RWX JIT memory page to read UEFI variable into A. Define a method to overwrite B. JIT the method C. Obtain ptr to method
  • 34. C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ A. Define a method to overwrite
  • 35. C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ B. JIT the method C. Obtain ptr to method
  • 36. C# with Reflection for Method Ptr Overwrite to Execute https://www.tophertimzen.com/blog/dotNetMachineCodeManipulation/ 3. Write UEFI variable payload to method ptr with GetFirmwareEnvironmentVariableEx() 4. Execute method
  • 37. Steps for Infection (Demo) 1. Obtain shell on target 2. Run WriteUEFICSharp 3. Set persistence for ReadUEFICSharp 4. Run ReadUEFICSharp
  • 39. Persistence? Exercise up to the reader WDAC Bypasses are a good means to persist with unsigned code Your payload is in a UEFI variable, GLHF Analyst!
  • 40. What About Windows EDR Products? We saw no relevant information in EDR pertaining to the usage of UEFI variables Startup events are seen without rootkit, but no malicious activity reported ● AV is clean ● No Virtual* API Calls
  • 42. WDAC Bypasses There has been a lot of research on bypassing WDAC and Windows Universal Apps - https://posts.specterops.io/arbitrary-unsigned-code-execution-v ector-in-microsoft-workflow-compiler-exe-3d9294bc5efb - https://bohops.com/2019/01/10/com-xsl-transformation-bypassi ng-microsoft-application-control-solutions-cve-2018-8492/ Singed Code is not a proper mitigation currently in Windows 10
  • 44. The Problem Space The Kernel Your Sample EDR
  • 45. Envisioning The Solution The Kernel Your Payload EDR
  • 47. Linux Boot Flow UEFI shim Signed by MSFT Signed by OEM
  • 48. Linux Boot Flow UEFI shim grub Signed by distro Signed by MSFT Signed by OEM
  • 49. Linux Boot Flow UEFI shim grub linux Signed by distro Signed by MSFT Signed by OEM
  • 50. Linux Boot Flow UEFI shim grub linux Signed by distro Signed by MSFT Signed by OEM Unsigned and generated on system ramdisk
  • 51. Linux Boot Flow UEFI shim grub linux Signed by distro Signed by MSFT Signed by OEM Unsigned and generated on system ramdisk EDR
  • 52. ptrace, Man! man (2) ptrace + PTRACE_SETREGS + PTRACE_PEEKTEXT, PTRACE_PEEKDATA + PTRACE_POKETEXT, PTRACE_POKEDATA - YAMA - SELinux/AppArmor/SMACK/TOMOYO/etc + Policy applied in userspace!!
  • 55. Boot Flow, Continued 1 1 exec Ramdisk land Rootfs land EDRPolicy load
  • 56. fanotify, man! man (7) fanotify DESCRIPTION The fanotify API provides notification and interception of filesystem events. Use cases include virus scanning and hierarchical storage management.
  • 57. memfd_create, man! man (2) memfd_create DESCRIPTION memfd_create() creates an anonymous file and returns a file descriptor that refers to it. The file behaves like a regular file … … it lives in RAM and has a volatile backing storage.
  • 58. PR_SET_TIMERSLACK Since Linux 4.6, the "current" timer slack value of any process can be examined and changed via the file /proc/[pid]/timerslack_ns. See proc(5).
  • 59. CONFIG_EFI_VARS config EFI_VARS If you say Y here, you are able to get EFI (Extensible Firmware Interface) variable information via sysfs. You may read, write, create, and destroy EFI variables through this interface.
  • 60. Surviving MS_MOVE 1. Poll on /proc/self/mounts 2. Sleep while initramfs finishes and init starts 3. Create a new mount namespace 4. Mount proc (it's not in initramfs) 5. Set mount namespace to init's namespace through setns 6. chroot(“/proc/1/root”) 7. chdir(“.”) 8. chroot(“/”)
  • 62. Boot Flow, Modified 1 exec Ramdisk land fork UEFI open
  • 63. Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork UEFI
  • 64. Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork UEFI
  • 65. Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork STOP UEFI
  • 66. Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork ptrace UEFI
  • 67. Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax 0x7fa413d56bb5 <epoll_wait+85>: syscall => 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2
  • 68. Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax => 0x7fa413d56bb5 <epoll_wait+85>: syscall 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x13f (memfd_create)
  • 69. Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax => 0x7fa413d56bb5 <epoll_wait+85>: syscall 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x13f (memfd_create) .ELF............
  • 70. Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax => 0x7fa413d56bb5 <epoll_wait+85>: syscall 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x9 (mmap) 0x90 0x90 0x90 0x90 0x90 .ELF............
  • 71. Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax 0x7fa413d56bb5 <epoll_wait+85>: syscall 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x9 (mmap) => 0x90 0x90 0x90 0x90 0x90 .ELF............ ret2libc (dlopen)
  • 72. Ptrace 0x7fa413d56ba2 <epoll_wait+66>: mov %r13d,%r10d 0x7fa413d56ba5 <epoll_wait+69>: mov %eax,%r8d 0x7fa413d56ba8 <epoll_wait+72>: mov %r12d,%edx 0x7fa413d56bab <epoll_wait+75>: mov %rbp,%rsi 0x7fa413d56bae <epoll_wait+78>: mov %ebx,%edi 0x7fa413d56bb0 <epoll_wait+80>: mov $0xe8,%eax 0x7fa413d56bb5 <epoll_wait+85>: syscall => 0x7fa413d56bb7 <epoll_wait+87>: cmp $0xfffffffffffff000,%rax 0x7fa413d56bbd <epoll_wait+93>: ja 0x7fa413d56bf2 eax: 0x9 (mmap) 0x90 0x90 0x90 0x90 0x90 .ELF............ ret
  • 73. Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork CONT UEFI
  • 74. Boot Flow, Modified 1 1 exec Ramdisk land Rootfs land fork UEFI
  • 75. Linux Demo 1. See noise in auditd of exploiting enterprise_tool 2. Install implant into UEFI and ramdisk 3. Reboot 4. Set timerslack marker 5. Exploit enterprise_tool 6. See no output in log 7. Show policy in place 8. Show variable
  • 77. What does this all mean?
  • 80. Mitigations and Recommendations Monitor and Audit UEFI variables across your organizations fleet EDR Should detect UEFI APIs ● It is not common for apps to Set/Get Firmware Variables ● NV+BS+RT Variables are suspicious if created after installation of platform
  • 81. Mitigations and Recommendations EDR Tamper Resistance is not effective ● Sinkholing or killing the sensor usually does not give alerts ● Vendors need to work on securing their processes ○ Alert on sinkhole ○ Do not allow ptrace Stop assembling ramdisks on systems!
  • 83. Future Work Look into hiding inside of UEFI Configuration Storage Analyze more EDR products and how they handle UEFI variables Use these techniques in more Red Team engagements to increase defender efficacy Look at more platforms for their usage of UEFI variables ● More places to hide
  • 84. Closing Have yourself a uefi.party and plunder away your loot! Sucker punch that pesky EDR! GitHub Repo at https://github.com/perturbed-platypus
  • 86. References for MITRE TTPs Tuned for processes, commands and API Calls ● cmd.exe /c ○ https://attack.mitre.org/techniques/T1059/ ● powershell.exe ○ https://attack.mitre.org/techniques/T1086/ ● Registry modifications ○ https://attack.mitre.org/techniques/T1112/ ● Scheduled Tasks ○ https://attack.mitre.org/techniques/T1053/
  • 87. EOF