SlideShare a Scribd company logo

44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back

44CON
44CON

Windows 10: 2 Steps Forward, 1 Step Back by James Forshaw

Technology
1 of 54
Download to read offline
Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo 44con 2015 1
James Forshaw @tiraniddo Obligatory Background Slide 2 ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like
James Forshaw @tiraniddo What I’m Going to Talk About ● Some research on Windows 10 from the early preview builds ● Why Windows 10 is awesome for security ● Except for when it isn’t! ● Very much looking at things from a local privilege escalation perspective 3
James Forshaw @tiraniddo Windows 10 4
James Forshaw @tiraniddo Windows Local Attack Surface 5
James Forshaw @tiraniddo Local System Vulnerabilities are Dead! 6 #opfreecalc
James Forshaw @tiraniddo System Services and Drivers 7 Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291 7 8 10
James Forshaw @tiraniddo Service Privilege Levels 8 Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10
James Forshaw @tiraniddo SVCHOST Running as User? 9 Malware? Nope!
James Forshaw @tiraniddo Service Start Mode 10 Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28% 7 8 10
James Forshaw @tiraniddo Accessible Device Objects 11 7 8 10 Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5
James Forshaw @tiraniddo Isolated User Mode 12
James Forshaw @tiraniddo Isolated LSASS 13 Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130
James Forshaw @tiraniddo But Sadly ● Not available in consumer builds only Enterprise ● Can’t use your own code to isolate anything ● Very restrictive use 14
James Forshaw @tiraniddo Edge Browser 15
James Forshaw @tiraniddo Microsoft Edge Security 16 ActiveX is gone(ish) AppContainer Sandbox Always On
James Forshaw @tiraniddo Microsoft Edge and Flash 17 Nope!
James Forshaw @tiraniddo Has No One Learnt from the Past? 18
James Forshaw @tiraniddo Guess Trident Wasn’t a Suitable Base? 19
James Forshaw @tiraniddo User Account Control 20
James Forshaw @tiraniddo They’ve Fixed Some Bugs I’ve Reported 21 https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220
James Forshaw @tiraniddo UAC Auto Elevation Directory Check 22 c:windows c:windowstracingapp.exe app.exe ALLOWED BANNED
James Forshaw @tiraniddo Folder Permissions 23 c:windows c:windowstracingapp.exe app.exe ALLOWED BANNED
James Forshaw @tiraniddo AiCheckSecureApplicationDirectory Bypass 24 ● Need to be able to write a file with a secure path ● How can we write to C:Windows without writing to C:Windows? c:windows malicious.exe ALLOWED c:windows ???? ALLOWED?
James Forshaw @tiraniddo NTFS Alternate Data Streams FTW! 25 c:windows tracing:malicious.exe ALLOWED ● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on directory to created named stream.
James Forshaw @tiraniddo Didn’t Fix All my UAC Bypasses Though 26 https://code.google.com/p/google-security-research/issues/detail?id=219
James Forshaw @tiraniddo DEMO Elevated Token Capture 27
James Forshaw @tiraniddo 28 Well MS Almost Did If Token Level < Impersonate If Process has Impersonate Privilege ALLOWED Restrict to Identification Level If Process IL < Token IL If Process User == Token User Elevation Check
James Forshaw @tiraniddo Elevated Token Impersonation ● Blocks impersonating an elevated token unless process token is also elevated ● Must be enabled in SeCompatFlags kernel flag 29 if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } }
James Forshaw @tiraniddo In The End Still the “Wrong” Default IMO! 30
James Forshaw @tiraniddo If You Change Task Manager Needs a Prompt 31
James Forshaw @tiraniddo Windows Symbolic Links 32 Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links
James Forshaw @tiraniddo Mitigated in Sandboxes 33 NTFS Mount Points Registry Key Symbolic Links Object Manager Symbolic Links BANNED LIMITED LIMITED
James Forshaw @tiraniddo Mitigations Backported 34
James Forshaw @tiraniddo DEMO NTFS Mount Point Mitigation Bypass 35
James Forshaw @tiraniddo Win32k Hardening 36
James Forshaw @tiraniddo Fonts Are Bad 37
James Forshaw @tiraniddo Making it Less Bad User Mode Font Driver 38 Disable Custom Font Policy (undocumented) PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy.DisableNonSystemFonts = 1; policy.AuditNonSystemFontLoading = 1; SetProcessMitigationPolicy( ProcessFontDisablePolicy, &policy, sizeof(policy));
James Forshaw @tiraniddo User Mode Font Driver Only SYSTEM can open process?Running as user in AppContainer 39
James Forshaw @tiraniddo Process Token Default DACL After September Patch 40 Before September Patch
James Forshaw @tiraniddo Thread DACLs Allow User Access 41
James Forshaw @tiraniddo Extra, UMFD Only Win32k Escape Calls 42 NtGdiEscape Command UMFD Escape Call 13 UmfdEscEngGetFileChangeTime 14 UmfdEscEngGetFilePath 15 UmfdEscEngComputeGlyphSet 16 UmfdEscEngCreateFile 17 UmfdEscParseFontResources 18 atmfdFontManagement (enable kernel ATMFD driver) And Others ...
James Forshaw @tiraniddo UmfdEscEngCreateFile in Win32kFull.sys // Name is only SystemRootSystem32FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; } 43 // Name is SystemRootSystem32QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; } Before September Patch After September Patch
James Forshaw @tiraniddo UmfdEscEngCreateFile in Win32kFull.sys // Name is only SystemRootSystem32FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; } 44 // Name is SystemRootSystem32QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; } Before September Patch After September Patch Attacker Controlled No Security Check All Gone
James Forshaw @tiraniddo Process Silos ● New process container mechanism ● Possibly related to docker support ● Works in a similar fashion to process jobs 45 NTSTATUS NtCreateSiloObject( PHANDLE handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
James Forshaw @tiraniddo Opening Device Object 46 DeviceHarddisk1SomeName DeviceHarddisk1 SomeName Device Path Native NT Path Device Namespace Path Harddisk Driver Create File Handler Driver Responsible for Security
James Forshaw @tiraniddo Replace the Root Object Directory 47 // Create anonymous directory object InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); NtCreateDirectoryObject(&hDir, &ObjectAttributes, ...); NtSetInformationSiloObject(hSilo, SiloObjectRootDirectory, &hDir, sizeof(hDir)); NtAssignProcessToSiloObject(hSilo, GetCurrentProcess()); // Process root directory now empty Exploit: https://code.google.com/p/google-security-research/issues/detail?id=459
James Forshaw @tiraniddo Fixed in RTM ● Silo functionality rolled into Job objects ● Changed object directory now behind a TCB check ● Shame for Chrome, would have been a useful feature 48
James Forshaw @tiraniddo Public Service Announcement Doing too much security research on Beta software can make you sad 49
James Forshaw @tiraniddo (Dis)Honourable Mentions Control Flow Guard (CFG) Privacy Options Cumulative Updates Microsoft Cross-Signed Drivers 50
James Forshaw @tiraniddo Conclusions 51 2 steps forward, 1 step back. Still plenty of things to attack!
James Forshaw @tiraniddo DEMO Local System Elevation 52
James Forshaw @tiraniddo Good Old Issue 222 53 https://code.google.com/p/google-security-research/issues/detail?id=222
James Forshaw @tiraniddo Questions? 54

Recommended

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsJames Forshaw
 
Time complexity (linear search vs binary search)
Time complexity (linear search vs binary search)Time complexity (linear search vs binary search)
Time complexity (linear search vs binary search)Kumar
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Windows batch scripting
Windows batch scriptingWindows batch scripting
Windows batch scriptingArghodeepPaul
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 

Recommended

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsJames Forshaw
 
Time complexity (linear search vs binary search)
Time complexity (linear search vs binary search)Time complexity (linear search vs binary search)
Time complexity (linear search vs binary search)Kumar
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Windows batch scripting
Windows batch scriptingWindows batch scripting
Windows batch scriptingArghodeepPaul
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadAzad Mzuri
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Rules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteRules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteMarkDowd13
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsBishop Fox
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on WindowsOWASP Delhi
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 

More Related Content

What's hot

EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadAzad Mzuri
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Rules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteRules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteMarkDowd13
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsBishop Fox
 

What's hot (20)

Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Rules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynoteRules to Hack By - Offensivecon 2022 keynote
Rules to Hack By - Offensivecon 2022 keynote
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with Maltego
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation Methods
 

Viewers also liked

Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on WindowsOWASP Delhi
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Entrevista Hector Robles revista MED PLUS n99
Entrevista Hector Robles revista MED PLUS n99Entrevista Hector Robles revista MED PLUS n99
Entrevista Hector Robles revista MED PLUS n99Hector Robles
 
Useful facts
Useful factsUseful facts
Useful factsbc dalai
 
CMIS 320 RESEARCH PAPER
CMIS 320 RESEARCH PAPERCMIS 320 RESEARCH PAPER
CMIS 320 RESEARCH PAPERHamesKellor
 
CMIT 321 WEEK 2 QUIZ
CMIT 321 WEEK 2 QUIZCMIT 321 WEEK 2 QUIZ
CMIT 321 WEEK 2 QUIZHamesKellor
 
Chapter10 Server Administration
Chapter10 Server AdministrationChapter10 Server Administration
Chapter10 Server AdministrationRaja Waseem Akhtar
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 AdministrationLearnItFirst.com
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 

Viewers also liked (20)

Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
1
11
1
 
Entrevista Hector Robles revista MED PLUS n99
Entrevista Hector Robles revista MED PLUS n99Entrevista Hector Robles revista MED PLUS n99
Entrevista Hector Robles revista MED PLUS n99
 
Useful facts
Useful factsUseful facts
Useful facts
 
Hedly
HedlyHedly
Hedly
 
CMIS 320 RESEARCH PAPER
CMIS 320 RESEARCH PAPERCMIS 320 RESEARCH PAPER
CMIS 320 RESEARCH PAPER
 
CMIT 321 WEEK 2 QUIZ
CMIT 321 WEEK 2 QUIZCMIT 321 WEEK 2 QUIZ
CMIT 321 WEEK 2 QUIZ
 
operating system 1
operating system 1operating system 1
operating system 1
 
Chapter10 Server Administration
Chapter10 Server AdministrationChapter10 Server Administration
Chapter10 Server Administration
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 Administration
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 

Similar to 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back

James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator actionPacSecJP
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)INSIGHT FORENSIC
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windowsArpan Raval
 
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...Soya Aoyama
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)abend_cve_9999_0001
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...CODE BLUE
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security SolutionsBad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security SolutionsVincent Tan
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 

Similar to 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back (20)

James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windows
 
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
 
Man-In-The-Disk
Man-In-The-DiskMan-In-The-Disk
Man-In-The-Disk
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
 
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security SolutionsBad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 

More from 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back

  • 1. Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo 44con 2015 1
  • 2. James Forshaw @tiraniddo Obligatory Background Slide 2 ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like
  • 3. James Forshaw @tiraniddo What I’m Going to Talk About ● Some research on Windows 10 from the early preview builds ● Why Windows 10 is awesome for security ● Except for when it isn’t! ● Very much looking at things from a local privilege escalation perspective 3
  • 5. James Forshaw @tiraniddo Windows Local Attack Surface 5
  • 6. James Forshaw @tiraniddo Local System Vulnerabilities are Dead! 6 #opfreecalc
  • 7. James Forshaw @tiraniddo System Services and Drivers 7 Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291 7 8 10
  • 8. James Forshaw @tiraniddo Service Privilege Levels 8 Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10
  • 9. James Forshaw @tiraniddo SVCHOST Running as User? 9 Malware? Nope!
  • 10. James Forshaw @tiraniddo Service Start Mode 10 Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28% 7 8 10
  • 11. James Forshaw @tiraniddo Accessible Device Objects 11 7 8 10 Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5
  • 13. James Forshaw @tiraniddo Isolated LSASS 13 Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130
  • 14. James Forshaw @tiraniddo But Sadly ● Not available in consumer builds only Enterprise ● Can’t use your own code to isolate anything ● Very restrictive use 14
  • 16. James Forshaw @tiraniddo Microsoft Edge Security 16 ActiveX is gone(ish) AppContainer Sandbox Always On
  • 17. James Forshaw @tiraniddo Microsoft Edge and Flash 17 Nope!
  • 18. James Forshaw @tiraniddo Has No One Learnt from the Past? 18
  • 19. James Forshaw @tiraniddo Guess Trident Wasn’t a Suitable Base? 19
  • 20. James Forshaw @tiraniddo User Account Control 20
  • 21. James Forshaw @tiraniddo They’ve Fixed Some Bugs I’ve Reported 21 https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220
  • 22. James Forshaw @tiraniddo UAC Auto Elevation Directory Check 22 c:windows c:windowstracingapp.exe app.exe ALLOWED BANNED
  • 23. James Forshaw @tiraniddo Folder Permissions 23 c:windows c:windowstracingapp.exe app.exe ALLOWED BANNED
  • 24. James Forshaw @tiraniddo AiCheckSecureApplicationDirectory Bypass 24 ● Need to be able to write a file with a secure path ● How can we write to C:Windows without writing to C:Windows? c:windows malicious.exe ALLOWED c:windows ???? ALLOWED?
  • 25. James Forshaw @tiraniddo NTFS Alternate Data Streams FTW! 25 c:windows tracing:malicious.exe ALLOWED ● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on directory to created named stream.
  • 26. James Forshaw @tiraniddo Didn’t Fix All my UAC Bypasses Though 26 https://code.google.com/p/google-security-research/issues/detail?id=219
  • 28. James Forshaw @tiraniddo 28 Well MS Almost Did If Token Level < Impersonate If Process has Impersonate Privilege ALLOWED Restrict to Identification Level If Process IL < Token IL If Process User == Token User Elevation Check
  • 29. James Forshaw @tiraniddo Elevated Token Impersonation ● Blocks impersonating an elevated token unless process token is also elevated ● Must be enabled in SeCompatFlags kernel flag 29 if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } }
  • 30. James Forshaw @tiraniddo In The End Still the “Wrong” Default IMO! 30
  • 31. James Forshaw @tiraniddo If You Change Task Manager Needs a Prompt 31
  • 32. James Forshaw @tiraniddo Windows Symbolic Links 32 Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links
  • 33. James Forshaw @tiraniddo Mitigated in Sandboxes 33 NTFS Mount Points Registry Key Symbolic Links Object Manager Symbolic Links BANNED LIMITED LIMITED
  • 35. James Forshaw @tiraniddo DEMO NTFS Mount Point Mitigation Bypass 35
  • 38. James Forshaw @tiraniddo Making it Less Bad User Mode Font Driver 38 Disable Custom Font Policy (undocumented) PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy.DisableNonSystemFonts = 1; policy.AuditNonSystemFontLoading = 1; SetProcessMitigationPolicy( ProcessFontDisablePolicy, &policy, sizeof(policy));
  • 39. James Forshaw @tiraniddo User Mode Font Driver Only SYSTEM can open process?Running as user in AppContainer 39
  • 40. James Forshaw @tiraniddo Process Token Default DACL After September Patch 40 Before September Patch
  • 41. James Forshaw @tiraniddo Thread DACLs Allow User Access 41
  • 42. James Forshaw @tiraniddo Extra, UMFD Only Win32k Escape Calls 42 NtGdiEscape Command UMFD Escape Call 13 UmfdEscEngGetFileChangeTime 14 UmfdEscEngGetFilePath 15 UmfdEscEngComputeGlyphSet 16 UmfdEscEngCreateFile 17 UmfdEscParseFontResources 18 atmfdFontManagement (enable kernel ATMFD driver) And Others ...
  • 43. James Forshaw @tiraniddo UmfdEscEngCreateFile in Win32kFull.sys // Name is only SystemRootSystem32FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; } 43 // Name is SystemRootSystem32QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; } Before September Patch After September Patch
  • 44. James Forshaw @tiraniddo UmfdEscEngCreateFile in Win32kFull.sys // Name is only SystemRootSystem32FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; } 44 // Name is SystemRootSystem32QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; } Before September Patch After September Patch Attacker Controlled No Security Check All Gone
  • 45. James Forshaw @tiraniddo Process Silos ● New process container mechanism ● Possibly related to docker support ● Works in a similar fashion to process jobs 45 NTSTATUS NtCreateSiloObject( PHANDLE handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
  • 46. James Forshaw @tiraniddo Opening Device Object 46 DeviceHarddisk1SomeName DeviceHarddisk1 SomeName Device Path Native NT Path Device Namespace Path Harddisk Driver Create File Handler Driver Responsible for Security
  • 47. James Forshaw @tiraniddo Replace the Root Object Directory 47 // Create anonymous directory object InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); NtCreateDirectoryObject(&hDir, &ObjectAttributes, ...); NtSetInformationSiloObject(hSilo, SiloObjectRootDirectory, &hDir, sizeof(hDir)); NtAssignProcessToSiloObject(hSilo, GetCurrentProcess()); // Process root directory now empty Exploit: https://code.google.com/p/google-security-research/issues/detail?id=459
  • 48. James Forshaw @tiraniddo Fixed in RTM ● Silo functionality rolled into Job objects ● Changed object directory now behind a TCB check ● Shame for Chrome, would have been a useful feature 48
  • 49. James Forshaw @tiraniddo Public Service Announcement Doing too much security research on Beta software can make you sad 49
  • 50. James Forshaw @tiraniddo (Dis)Honourable Mentions Control Flow Guard (CFG) Privacy Options Cumulative Updates Microsoft Cross-Signed Drivers 50
  • 51. James Forshaw @tiraniddo Conclusions 51 2 steps forward, 1 step back. Still plenty of things to attack!
  • 52. James Forshaw @tiraniddo DEMO Local System Elevation 52
  • 53. James Forshaw @tiraniddo Good Old Issue 222 53 https://code.google.com/p/google-security-research/issues/detail?id=222