Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go :(" [rooted2019]

150 views

Published on

Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go :(" [rooted2019]

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go :(" [rooted2019]

  1. 1. The Art of Persistence: Mr. Windows… I don’t wanna go :( Sheila Ayelen Berta (@UnaPibaGeek)
  2. 2. @UnaPibaGeek Sheila A. Berta - @UnaPibaGeek Offensive Security Researcher A little bit more: Developer ASM (Microcontrollers & Microprocessors x86/x64), C/C++, Go & Python. Speaker at Black Hat Briefings, DEFCON, Ekoparty, HITB, etc ….. and RootedCon! :D
  3. 3. @UnaPibaGeek What means… ”persistence”?
  4. 4. @UnaPibaGeek “run keys” since long time ago… HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  5. 5. @UnaPibaGeek “run keys” since long time ago… HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  6. 6. @UnaPibaGeek “run keys” since long time ago… …CurrentVersionPoliciesExplorerRun …CurrentVersionExplorerShell Folders
  7. 7. @UnaPibaGeek Is this the best way?
  8. 8. @UnaPibaGeek The Art of Persistence Welcome to…
  9. 9. @UnaPibaGeek COM Objects… - C++ class - Out of Process / In-Process In-Process
  10. 10. @UnaPibaGeek Globally Universal Identifier (GUID)… 16bytes array (GUID)- CLSID
  11. 11. @UnaPibaGeek Windows Registry… HKLMSoftwareClassesCLSID<GUID> HKCUSoftwareClassesCLSID<GUID>
  12. 12. @UnaPibaGeek Windows Registry… InprocServer32 / InprocServer / InprocHandler32 / InprocHandler
  13. 13. @UnaPibaGeek Persistence via Shell Extensions
  14. 14. @UnaPibaGeek Shell Extension Handlers…
  15. 15. @UnaPibaGeek Shell Extension Handlers… (registry) - System-wide (HKLMSoftwareClasses*shellex)
  16. 16. @UnaPibaGeek Shell Extension Handlers… (registry) - Current User (HKCUSoftwareClasses*shellex) NO ADMIN PRIVILEGES REQUIRED
  17. 17. @UnaPibaGeek Registering our own Shell Extension
  18. 18. @UnaPibaGeek Malicious Shell Extension to persist Registry Key 1 Registry Key 2 Malware downloader
  19. 19. @UnaPibaGeekSheila A. Berta - @UnaPibaGeek
  20. 20. @UnaPibaGeek To sum up… - Shell Extensions can be used to malware persistence. - Attacker does not need admin privileges. - Stealthy method! Recommendation… - Use PowerShell. Because it’s a trust binary for Windows. So, it let you write the registry without restrictions.
  21. 21. @UnaPibaGeek Persistence via COM hijack
  22. 22. @UnaPibaGeek NO ADMIN PRIVILEGES REQUIRED COM Hijack fundamentals… HKLMSoftwareClassesCLSID <GUID> InprocServer32 (Default) = C:PathToDLL HKCUSoftwareClassesCLSID <GUID> InprocServer32 (Default) = C:PathToDLL Right COM Path: First search: POSSIBLE HIJACK NOT FOUND
  23. 23. @UnaPibaGeek Hunting vulnerable Apps…
  24. 24. @UnaPibaGeek Chrome COM hijacking…
  25. 25. @UnaPibaGeekSheila A. Berta - @UnaPibaGeek
  26. 26. @UnaPibaGeek “Native” COM objects…
  27. 27. @UnaPibaGeek HKCR Poisoning… HKLMSoftwareClasses HKCUSoftwareClasses HKEY_CLASSES_ROOT NO ADMIN PRIVILEGES REQUIRED
  28. 28. @UnaPibaGeek “Native” COM hijack… (Windows 10)
  29. 29. @UnaPibaGeekSheila A. Berta - @UnaPibaGeek
  30. 30. @UnaPibaGeek To sum up… - Apps and native COM objects vulnerable to COM hijack can be used to malware persistence. - Attacker does not need admin privileges. - Super Stealthy method!! Remember… - Use PowerShell to bypass restrictions :-)
  31. 31. @UnaPibaGeek Persistence via Extension Handler Hijack
  32. 32. @UnaPibaGeek Extension Handlers…
  33. 33. @UnaPibaGeek Extension Handler Hijack…
  34. 34. @UnaPibaGeek Extension Handler Hijack…
  35. 35. @UnaPibaGeekSheila A. Berta - @UnaPibaGeek
  36. 36. @UnaPibaGeek Extension Handler Hijack… with proxy!
  37. 37. @UnaPibaGeekSheila A. Berta - @UnaPibaGeek
  38. 38. @UnaPibaGeek To sum up… - Extension Handlers can be hijacked to malware persistence. - Attacker does not need admin privileges. - Super Stealthy method!! - Powershell is not necessary, HKU registry can be edited without restrictions :-)
  39. 39. @UnaPibaGeek Conclusions… Features of Windows can be abused to make malware persistence stealthier
  40. 40. Thank you! Sheila Ayelen Berta (@UnaPibaGeek)

×