A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
Ethical hacking : Its methodologies and toolschrizjohn896
This Presentation gives you the knowledge about ethical hacking and its methodologies. This PPT also explains the type of hackers and tools used with example of hashcat which is used to break hash algorithms like MD5, SHA1, SHA256 Etc
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
Ethical hacking : Its methodologies and toolschrizjohn896
This Presentation gives you the knowledge about ethical hacking and its methodologies. This PPT also explains the type of hackers and tools used with example of hashcat which is used to break hash algorithms like MD5, SHA1, SHA256 Etc
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
3. Downloaders
• Download another piece of malware
– And execute it on the local system
• Commonly use the Windows API
URLDownloadtoFileA, followed by a
call to WinExec
4. Launchers (aka Loaders)
• Prepares another piece of malware for
covert execution
– Either immediately or later
– Stores malware in unexpected places, such as
the .rsrc section of a PE file
6. Backdoors
• Provide remote access to victim machine
• The most common type of malware
• Often communicate over HTTP on Port 80
– Network signatures are helpful for detection
• Common capabilities
– Manipulate Registry, enumerate display
windows, create directories, search files, etc.
8. Windows Reverse Shells
• Basic
– Call CreateProcess and manipulate
STARTUPINFO structure
– Create a socket to remote machine
– Then tie socket to standard input, output,
and error for cmd.exe
– CreateProcess runs cmd.exe with its
window suppressed, to hide it
9. Windows Reverse Shells
• Multithreaded
– Create a socket, two pipes, and two threads
– Look for API calls to CreateThread and
CreatePipe
– One thread for stdin, one for stdout
12. Botnets v. RATs
• Botnet contain many hosts; RATs control
fewer hosts
• All bots are controlled at once; RATs
control victims one by one
• RATs are for targeted attacks; botnets are
used in mass attacks
14. Credential Stealers
• Three types
–Wait for user to log in and steal
credentials
–Dump stored data, such as password
hashes
–Log keystrokes
15. GINA Interception
• Windows XP's Graphical Identification and
Authentication (GINA)
– Intended to allow third parties to customize
logon process for RFID or smart cards
– Intercepted by malware to steal credentials
• GINA is implemented in msgina.dll
– Loaded by WinLogon executable during logon
• WinLogon also loads third-party customizations
in DLLs loaded between WinLogon and GINA
16. GINA Registry Key
• HKLMSOFTWAREMicrosoftWindows NT
CurrentVersionWinlogonGinaDLL
• Contains third-party DLLs to be loaded by
WinLogon
17. MITM Attack
• Malicious DLL must export all functions
the real msgina.dll does, to act as a MITM
– More than 15 functions
– Most start with Wlx
–Good indicator
–Malware DLL exporting a lot of Wlx
functions is probably a GINA interceptor
18. WlxLoggedOutSAS
• Most exports simply call through to the real
functions in msgina.dll
• At 2, the malware logs the credentials to the
file %SystemRoot%system32driverstcpudp.sys
19. GINA is Gone
• No longer used in Windows Vista and later
• Replaced by Credential Providers
• Link Ch 11c
20. Custom Credential Provider Rootkit on
Windows 7
• Two sets of login buttons
• Only steals passwords from second set
• Code is provided to filter out the original set
21. Hash Dumping
• Windows login passwords are stored as LM
or NTLM hashes
– Hashes can be used directly to authenticate
(pass-the-hash attack)
– Or cracked offline to find passwords
• Pwdump and Pass-the-Hash Toolkit
– Free hacking tools that provide hash dumping
– Open-source
– Code re-used in malware
– Modified to bypass antivirus
22. Pwdump
• Injects a DLL into LSASS (Local Security
Authority Subsystem Service)
– To get hashes from the SAM (Security Account
Manager)
– Injected DLL runs inside another process
– Gets all the privileges of that process
– LSASS is a common target
• High privileges
• Access to many useful API functions
23. Pwdump
• Injects lsaext.dll into lsass.exe
– Calls GetHash, an export of lsaext.dll
– Hash extraction uses undocumented Windows
function calls
• Attackers may change the name of the
GetHash function
24. Pwdump Variant
• Uses these libraries
– samsrv.dll to access the SAM
– advapi32.dll to access functions not already
imported into lsass.exe
– Several Sam functions
– Hashes extracted by SamIGetPrivateData
– Decrypted with SystemFunction025 and
SystemFunction027
• All undocumented functions
25.
26. Pass-the-Hash Toolkit
• Injects a DLL into lsass.exe to get hashes
– Program named whosthere-alt
• Uses different API functions than Pwdump
27. Keystroke Logging
• Kernel-Based Keyloggers
– Difficult to detect with user-mode
applications
– Frequently part of a rootkit
– Act as keyboard drivers
– Bypass user-space programs and protections
28. Keystroke Logging
• User-Space Keyloggers
– Use Windows API
– Implemented with hooking or polling
• Hooking
– Uses SetWindowsHookEx function to notify malware
each time a key is pressed
– Details in next chapter
• Polling
– Uses GetAsyncKeyState & GetForegroundWindow
to constantly poll the state of the keys
29. Polling Keyloggers
• GetAsyncKeyState
– Identifies whether a key is pressed or
unpressed
• GetForegroundWindow
– Identifies the foreground window
– Loops through all keys, then sleeps briefly
– Repeats frequently enough to capture all
keystrokes
33. Three Persistence Mechanisms
1.Registry modifications, such as Run key
• Other important registry entries:
– AppInit_DLLs
– Winlogon Notify
– ScvHost DLLs
2.Trojanizing Binaries
3.DLL Load-Order Hijacking
34. Registry Modifications
• Run key
– HKEY_LOCAL_MACHINE SOFTWARE Microsoft
Windows CurrentVersion Run
– Many others, as revealed by Autoruns
• ProcMon shows all registry modifications
when running malware (dynamic analysis)
• Can detect all these techniques
36. APPINIT DLLS
• AppInit_DLLs are loaded into every
process that loads User32.dll
– This registry key contains a space-delimited
list of DLLs
– HKEY_LOCAL_MACHINE SOFTWARE Microsoft
Windows NT CurrentVersion Windows
– Many processes load them
– Malware will call DLLMain to check which
process it is in before launching payload
37. Winlogon Notify
• Notify value in
– HKEY_LOCAL_MACHINE SOFTWARE Microsoft
Windows
– These DLLs handle winlogon.exe events
– Malware tied to an event like logon, startup,
lock screen, etc.
– It can even launch in Safe Mode
38. SvcHost DLLs
• Svchost is a generic host process for services
that run as DLLs
• Many instances of Svchost are running at once
• Groups defined at
– HKEY_LOCAL_MACHINE SOFTWARE Microsoft
Windows NT CurrentVersion Svchost
• Services defined at
– HKEY_LOCAL_MACHINE System
CurrentControlSet Services ServiceName
39. Process Explorer
• Shows many
services running in
one svchost
process
• This is the netsvcs
group
40.
41. ServiceDLL
• All svchost.exe DLL contain a Parameters
key with a ServiceDLL value
– Malware sets ServiceDLL to location of
malicious DLL
42. Groups
• Malware usually adds itself to an existing
group
– Or overwrites a non-vital service
– Often a rarely used service from the netsvcs
group
• Detect this with dynamic analysis
monitoring the registry
– Or look for service functions like
CreateServiceA in disassembly
43. Trojanized System Binaries
• Malware patches bytes of a system binary
• To force the system to execute the malware
the next time the infected binary is loaded
• DLLs are popular targets
• Typically the entry function is modified
• Jumps to code inserted in an empty portion of
the binary
• Then executes DLL normally
46. KnownDLLs Registry Key
• Contains list of specific DLL locations
• Overrides the search order for listed DLLs
• Makes them load faster, and prevents load-
order hijacking
• DLL load-order hijacking can only be used
– On binaries in directories other than System32
– That load DLLs in System32
– That are not protected by KnownDLLs
47. Example: explorer.exe
• Lives in /Windows
• Loads ntshrui.dll from System32
• ntshrui.dll is not a known DLL
• Default search is performed
• A malicious ntshrui.dll in /Windows will
be loaded instead
48. Many Vulnerable DLLs
• Any startup binary not found in /System32
is vulnerable
• explorer.exe has about 50 vulnerable DLLs
• Known DLLs are not fully protected,
because
– Many DLLs load other DLLs
– Recursive imports follow the default search
order
49. DLL Load-Order Hijacking Detector
• Searches for DLLs that appear multiple
times in the file system, in suspicious
folders, and are unsigned
• From SANS (2015) (link Ch 11d)
51. No User Account Control
• Most users run Windows XP as
Administrator all the time, so no privilege
escalation is needed to become
Administrator
• Metasploit has many privilege escalation
exploits
• DLL load-order hijacking can be used to
escalate privileges
52. Using SeDebugPrivilege
• Processes run by the user can't do
everything
• Functions like TerminateProcess or
CreateRemoteThread require System
privileges (above Administrator)
• The SeDebugPrivilege privilege was
intended for debugging
• Allows local Administrator accounts to
escalate to System privileges
56. User-Mode Rootkits
• Modify internal functionality of the OS
• Hide files, network connections,
processes, etc.
• Kernel-mode rootkits are more powerful
• This section is about User-mode rootkits
57. IAT (Import Address Table) Hooking
• May modify
– IAT (Import Address Table) or
– EAT (Export Address Table)
• Parts of a PE file
• Filled in by the loader
– Link Ch 11a
– This technique is old and easily detected
59. Inline Hooking
• Overwrites the API function code
• Contained in the imported DLLs
• Changes actual function code, not
pointers
• A more advanced technique than IAT
hooking