Un) fucking forensics

•Download as PPTX, PDF•

1 like•455 views

S

DEFCON 25 presentation. An overview of the basis for needing memory integrity validation (secure hash) checks of a running VM. Edit memory through python scripting. Enhance timeline assurances that you have not missed events with multiple complementary event sources.

(Un) Fucking Forensics
Active/Passive memory hacking/debugging
K2 / Director @IOACTIVE
https://github.com/K2

About me?
• Hacker for a while
• inVtero.net
• Memory analysis framework for Windows
• Super fast/GBPS throughput
• Memory integrity checking of VM’s/CrashDumps/Memory
• Type aware memory hacking tool
• EhTrace
• Binary trace tool
• Uses hook/patch-less technique for in-process debugging
• Lots of other stuff

Outline / areas
• How to forensic, how to Fuck forensics and how to un fuck it.
• Intx80 AF technique on header wipe/non-resident code/trim()
• How to deal with that
• RoP background, how it’s used in attacks
• Gargoyle attacks & how to protect against them
• CloudLeech – twist on UlfFrisk DMA attacks / PCILeech
• Demo of open source memory integrity platform for Windows!

Can you even
forensic?
• In general: Determine what happened.
Make a timeline of known events.
• “Artifacts” disk & memory (often
incomplete/fragmented) used to build timeline.
• How good can we do? How do we know if were
done?

Artifact
sources
How
attestable are
they?
• Time stamps from all sources to derive timeline
(event logs/syslog/firewall/filesystem time, etc…)
• Wevtutil - Windows Events Command Line Utility.
Configure more than 1189 event log sources
• SysMon (from SysInternals/Mark Russinovich) / neat
config: https://github.com/SwiftOnSecurity/sysmon-
config
• Linux (osquery
https://github.com/facebook/osquery )

Handling memory
• Forensics meets Reverse Engineering
• Dump / disassemble determine what the extent of capability the attacker possesses
• I want to at least clear this guy out & find out how much damage he did
• Volatility/Rekall python forensic engines
• Stephen Ridley’s RE memory hacking tool: https://github.com/s7ephen/SandKit
• Paper: Escaping the sandbox
• GAME HACKING! 
• Let’s look at what people do to cheat sometime?

How to F’it?
• Hide really well
• Wipe/Destroy logging/leave no
trace/Stenography/Encrypt
• Misdirect
• Flood/Annoy/Make analysis so
costly$$$/Obfuscate/Spoof/
• Direct Attack
• DefCon 15: Breaking Forensics
Software: Weaknesses in Critical
Evidence Collection Chris Palmer,
Alex Stamos

Anti-forensics: Furthering digital forensic science through a new extended,
granular taxonomy:

Foreshadowing: normalize you’re operations
• A great way to operate undetected is to ensure you are not an
anomaly.
• Use the resources of you’re target to conduct you’re operations.
• “Configuration” attacks
• Enable IPV6 tunneling & VPN access
• Attacker has trusted CA capability (added their privkey to trusted list)
• The more “normal” the method will be very hard to dig up

Int0x80’s AF counter
Attack against a tool:
Rekall
• Prevent dumping for working
More ways to get it;
• Use VAD (kernel source)
• Use PageTable (ABI)
• Use inVtero.net
• dump.py - VADDump (VAD) or
Dump (PageTable)

RoP: More normal
• RoP is an often discussed topic used mostly for exploitation
• RoP uses the CPU stack semantics to execute as if it were a really large set of return
statements.
• This uses the code that’s already on the system more “normalized” than if you had to inject
an executable payload that did not originate from the target
• RoP is used by Gargoyle (Josh Lospinoso) as an example of a persistence
technique that evades memory analysis systems
• There is hope, we can detect RoP attacks through call chain evaluation

RoP is not
perfect
https://www.cs.columbia.edu/~angelos/Papers/theses/vpappas_thesis.pdf

Gargoyle
persistence
• Leverages a timer and blocking
wait that moves it into the “active
state”
• Once active, stages page
protection +X
• Then uses this page to invoke it’s
primary payload
• It then mask’s the +X bit back off
and goes inactive

Tools too defend against RoP attack?
• Analysis: ROPEMU: A Framework for the Analysis of Complex Code-
Reuse Attacks
• Dump a complex RoP execution trace into an ELF !! Wow!
• Detection: inVtero.net can perform a stack checking function against
the memory dump.
• Similar tools for monitoring RoP at run time (EhTrace, RoPGuard, etc…)
• From the inVtero output, you really do NOT want to see the Gargoyle gadget,
or anything that looks like a stack pivot

Injection techniques
• Many variegations to achieve the same goal;
• 10 Process Injection Techniques (Ashkan Hosseini/Endgame)
• LoadLibrary, Hallowing, Thread hijacking, Windows Hooks, Registry
keys, APC, SetWindowLong, Shims & IAT shims
• Flame was a sort of hallowing attack
• “hid” inside of ntdll, remained undetected for years

Enter DMA with PCILeech
• Ulf Frisk Direct-Memory-Attack-the-Kernel:
• PCILeech attacks and utility for forensics (memory) collection
• Uses a variety of (very cool) techniques to execute payloads
• One of the simplest is the “unlock” functionality
• It’s an inline patch however
• Hard to detect w/o manual reversing

Integrity validation
• Full validation at any point in time must be able to be conducted
• System state should/must be static
• CPU execution will allow attackers to play games / evade read’s
• RDMA
• LiveMigration / Snapshotting

Tie it together
Un F’d Memory Forensics – Remove the guesswork
• Leverage wide range of information sources
• Have a comprehensive global view of the data set
• Appropriate countermeasures for most attackers (RoP)
• Integrity checking of memory (in line patch protection)
• Symbols and context for analysis of pointers
• Pointer tracking becomes more significant as we can qualify their address/vector

Demo’s & Thank you
• Check out the tools
Github.com/K2

Recommended

Bz backtrack.usage

Bz backtrack.usage

Bz backtrack.usage

This document discusses Backtrack, a Linux distribution for penetration testing and ethical hacking. It provides instructions on installing Backtrack 5 R3 using VirtualBox for testing purposes. It outlines the basic usage of Backtrack, including configuring the network and updating tools. It also describes exploring the pentesting tools directory and creating a simple lab with vulnerable virtual machines for security testing.

Steelcon 2015 - 0wning the internet of trash

Steelcon 2015 - 0wning the internet of trash

Steelcon 2015 - 0wning the internet of trash

My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices. This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!

BSides Hannover 2015 - Shell on Wheels

BSides Hannover 2015 - Shell on Wheels

BSides Hannover 2015 - Shell on Wheels

Infosecurity.be 2019: What are relevant open source security tools you should...

Infosecurity.be 2019: What are relevant open source security tools you should...

Infosecurity.be 2019: What are relevant open source security tools you should...

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

This document discusses vulnerabilities in TR-064 and TR-069 protocols for managing broadband network devices. It describes how TR-064 had issues with no password protection and readable credentials, allowing full device access. It also discusses prior vulnerabilities like Misfortune Cookie that allowed bypassing authentication in TR-069. The document then demonstrates how exploiting a persistent cross-site scripting vulnerability in the FreeACS server software through TR-069 requests could allow adding an administrative user and completely compromising the server. This could potentially allow attacking and reconfiguring millions of networked devices.

Security Testing: Fuzzing

Security Testing: Fuzzing

Security Testing: Fuzzing

Andrei Rubaniuk

After School cyber security class slides - Pat

After School cyber security class slides - Pat

After School cyber security class slides - Pat

BSides London 2017 - Hunt Or Be Hunted

BSides London 2017 - Hunt Or Be Hunted

BSides London 2017 - Hunt Or Be Hunted

Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.

Recommended

Bz backtrack.usage

Bz backtrack.usage

Bz backtrack.usage

This document discusses Backtrack, a Linux distribution for penetration testing and ethical hacking. It provides instructions on installing Backtrack 5 R3 using VirtualBox for testing purposes. It outlines the basic usage of Backtrack, including configuring the network and updating tools. It also describes exploring the pentesting tools directory and creating a simple lab with vulnerable virtual machines for security testing.

Steelcon 2015 - 0wning the internet of trash

Steelcon 2015 - 0wning the internet of trash

Steelcon 2015 - 0wning the internet of trash

My presentation slides from Steelcon 2015 on "Owning the Internet of Trash", a presentation on exploitation of endemic vulnerabilities in the so called "internet of things", with a focus on finding vulnerabilities in, exploiting, and gaining persistent access to, routers and other such embedded devices. This talk was recorded, a video will be linked soonish, and went over some basics of analysing firmware, hardware, and suchlike to find bugs in things and hack the planet!

BSides Hannover 2015 - Shell on Wheels

BSides Hannover 2015 - Shell on Wheels

BSides Hannover 2015 - Shell on Wheels

Infosecurity.be 2019: What are relevant open source security tools you should...

Infosecurity.be 2019: What are relevant open source security tools you should...

Infosecurity.be 2019: What are relevant open source security tools you should...

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters

This document discusses vulnerabilities in TR-064 and TR-069 protocols for managing broadband network devices. It describes how TR-064 had issues with no password protection and readable credentials, allowing full device access. It also discusses prior vulnerabilities like Misfortune Cookie that allowed bypassing authentication in TR-069. The document then demonstrates how exploiting a persistent cross-site scripting vulnerability in the FreeACS server software through TR-069 requests could allow adding an administrative user and completely compromising the server. This could potentially allow attacking and reconfiguring millions of networked devices.

Security Testing: Fuzzing

Security Testing: Fuzzing

Security Testing: Fuzzing

Andrei Rubaniuk

After School cyber security class slides - Pat

After School cyber security class slides - Pat

After School cyber security class slides - Pat

BSides London 2017 - Hunt Or Be Hunted

BSides London 2017 - Hunt Or Be Hunted

BSides London 2017 - Hunt Or Be Hunted

Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device. This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried. Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python. Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method. The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

This document provides an overview of using the Metasploit framework for penetration testing web applications. It discusses Metasploit modules like exploits, payloads, and listeners. It describes using direct exploits against hosts and browser exploits like heap spraying. It also covers using Metasploit for information gathering with Nmap and storing scan data in the Metasploit database. The document demonstrates a client-side attack against Internet Explorer using a binary payload and Immunity Debugger.

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

The document discusses distributed fuzzing, which involves spreading the workload of fuzz testing across multiple machines to dig deeper faster. It proposes a distributed fuzzing solution with the following key components: a database to store fuzzing data, a web interface for management, virtual machine nodes running fuzzers and monitoring targets, and an RPC interface to coordinate communication between components. The goal is to make deployment and management of distributed fuzzing easy while avoiding vendor lock-in.

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

The document discusses automated exploit generation through program analysis techniques. It introduces dynamic binary instrumentation, symbolic execution, and concolic execution as program analysis methods that can help automate finding the path to a vulnerability and generating an exploit. It provides examples of how these techniques work and common tools used like PIN, KLEE, Angr. The document concludes by discussing challenges like defining semantics of vulnerabilities precisely and the potential of program analysis to find more bugs through techniques like automated proving of program correctness.

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

In this webinar, we explore the process of zero-day vulnerability management from initial threat analysis to automated detection and remediation. We will demonstrate how easy it is to detect attack vectors and to quickly assess the reliability and security of those interfaces using general purpose fuzzing solutions. We will also show you how you can complement these solutions with known vulnerability data and do patch verification easily and cost-effectively. Finally, we will discuss how you can tailor your defenses to block zero day attacks, which is a key aspect of vulnerability management.

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

One of the most prevalent methods used by attackers to exploit vulnerabilities is ROP - Return Oriented Programming. Many times during the exploitation process, code will run very differently than it does usually - calls will be made to the middle of functions, functions won’t return to their callers, etc. These anomalies in control flow could be detected if a log of all instructions executed by the processor were available. In the past, tracing the execution of a processor incurred a significant slowdown, rendering such an anti-exploitation method impractical. However, recent Intel processors, such as Broadwell and Skylake, are now able to trace execution with low overhead, via a feature called Processor Trace. A similar feature called CoreSight exists on new ARM processors. The lecture will discuss an anti-exploitation system we built which scans files and detects control flow violations by using these new processor features. --- Ron Shina Ron has been staring at binary code for over the past decade, occasionally running it. Having spent a lot of his time doing mathematics, he enjoys searching for algorithmic opportunities in security research and reverse engineering. He is a graduate of the Israel Defense Forces’ Talpiot program. In his spare time he works on his jump shot. --- Shlomi Oberman Shlomi Oberman is an independent security researcher with over a decade of experience in security research. Shlomi spent many years in the attacker’s shoes for different companies and knows too well how hard it is to stop a determined attacker. In the past years his interest has shifted from breaking things to helping stop exploits – while software is written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and used to head the security research efforts at NSO Group and other companies.

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

This document discusses hacking mainframe systems like IBM z/OS. It describes how the speaker was able to gain access to mainframes through methods like credential theft, exploiting vulnerabilities in programs like Tivoli NetView, and escalating privileges using tools to ultimately achieve root access. The speaker demonstrates hacking tools they have created like BIRP, TShocker, and Maintp that can be used to conduct reconnaissance of mainframes and execute code through techniques like FTP.

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.

Cloud Security with LibVMI

Cloud Security with LibVMI

Cloud Security with LibVMI

Tamas K Lengyel

The document provides a brief history of hardware security from 1982 to present day, focusing on developments like protected mode, virtualization with Xen and VT-x/AMD-V, the Intel Management Engine, SGX, and virtual machine introspection (VMI). It discusses the core concepts behind VMI including isolation, interpretation, and interposition. LibVMI is introduced as a tool for VMI that allows monitoring VM memory, translating guest virtual addresses, and placing hooks in the guest. Future directions include more guest OS and hypervisor support as well as new event types.

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Tamas K Lengyel

The document describes DRAKVUF, a dynamic malware analysis system that aims to improve scalability, fidelity, and stealthiness. It uses Xen virtualization and memory monitoring techniques like EPT to analyze malware behavior in a monitored virtual environment without the malware's knowledge. An evaluation analyzed 1000 malware samples, found key data only existed in memory, and showed throughput could be improved with memory deduplication. The system helps address issues with analyzing large malware sets but challenges remain like handling stalled code.

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

Graphic drivers and their related code are an essential component in every modern operating system. This particular component involves especially complex logic and a huge amount of code, simply because it must handle equally complex tasks. As we know from history and experience huge and complex code is often also a security risk. Last but not least, in almost all the popular modern operating system, graphics code and logic is running in a highly privileged context such as the kernel, or even in a higher context, such as VMWare graphics component, which essentially implements your graphic card outside the guest into a host process. Any mistake made into this highly privileged code can lead to a fatal outcome, especially considering that it is often reachable from interesting sandboxes, such as the browser ones. We will go through the internals for various graphic systems, to show similarities and differences, such as windows heart of graphics aka win32k, then OSX/iOS IOKit, and finally, WMWare emulated GPU graphic subsystem. We can then switch gear and showcase some vulnerabilities in these scenarios, discuss effective fuzzing methodologies both specific to a particular target and generic principles of fuzzing graphic subsystems as well.

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

This document discusses improving the communication of malware analysis by providing reproducible analyses using the malware itself. It proposes supplementing written analyses with demonstrations that instrument the malware. As a case study, it analyzes a piece of POS malware called JackPOS. The document describes setting up the malware's command and control infrastructure and memory scraping functionality. It concludes by demonstrating how to instrument the malware using Python scripts to trace its network communication and track data collection in a reproducible way.

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

This document outlines how to remotely hack Windows 95 without any user interaction or needing zero-day exploits. It lists the prerequisites as having a default installation of Windows 95 with a writable C: share and network connectivity configured. It then provides links to resources on hacking Windows 95, including a 158-page manual and blog posts walking through exploiting vulnerabilities. The goal is to achieve remote code execution on the target system using existing hacking tools.

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

ShinoBOT is a penetration testing tool that simulates a remote access tool (RAT) to measure an organization's defenses against advanced persistent threats. It connects to the ShinoC2 command and control server every 10 seconds to receive and execute jobs. ShinoC2 allows penetration testers to create jobs that are then assigned to compromised systems running ShinoBOT. The tools aim to help security teams understand what would happen if a real APT successfully installed a RAT on their network by testing incident response and log monitoring capabilities. Upcoming features for ShinoBOT include taking webcam snapshots, encrypting its communications and hiding using a kernel driver to simulate more advanced adversary techniques.

Oscp preparation

Oscp preparation

Oscp preparation

Manich Koomsusi

This document provides an overview and preparation guide for the Offensive Security Certified Professional (OSCP) certification. It begins with an introduction and outlines the agenda, which includes an overview of the OSCP, course registration details, prerequisites, an overview of the course content and lab environment, exam preparation tips, and exam details. It then provides additional exam tips, discusses what to expect after passing the OSCP exam, and recommends additional reference materials and websites. The document is intended to help those interested in understanding and preparing for the OSCP certification exam.

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.

Security research over Windows #defcon china

Security research over Windows #defcon china

Security research over Windows #defcon china

Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Positive Hack Days

This document provides an overview of a presentation about using human interface devices like keyboards for penetration testing. The presentation covers using the Teensy microcontroller to create payloads that are executed when the device is plugged into a target system. It demonstrates writing payloads using the Kautilya toolkit to perform attacks like installing backdoors, changing system settings, gathering information, and executing code on Windows and Linux machines. The document also discusses limitations and ways to prevent attacks using malicious human interface devices.

More Related Content

What's hot

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device. This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried. Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python. Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method. The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

This document provides an overview of using the Metasploit framework for penetration testing web applications. It discusses Metasploit modules like exploits, payloads, and listeners. It describes using direct exploits against hosts and browser exploits like heap spraying. It also covers using Metasploit for information gathering with Nmap and storing scan data in the Metasploit database. The document demonstrates a client-side attack against Internet Explorer using a binary payload and Immunity Debugger.

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

The document discusses distributed fuzzing, which involves spreading the workload of fuzz testing across multiple machines to dig deeper faster. It proposes a distributed fuzzing solution with the following key components: a database to store fuzzing data, a web interface for management, virtual machine nodes running fuzzers and monitoring targets, and an RPC interface to coordinate communication between components. The goal is to make deployment and management of distributed fuzzing easy while avoiding vendor lock-in.

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

The document discusses automated exploit generation through program analysis techniques. It introduces dynamic binary instrumentation, symbolic execution, and concolic execution as program analysis methods that can help automate finding the path to a vulnerability and generating an exploit. It provides examples of how these techniques work and common tools used like PIN, KLEE, Angr. The document concludes by discussing challenges like defining semantics of vulnerabilities precisely and the potential of program analysis to find more bugs through techniques like automated proving of program correctness.

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

In this webinar, we explore the process of zero-day vulnerability management from initial threat analysis to automated detection and remediation. We will demonstrate how easy it is to detect attack vectors and to quickly assess the reliability and security of those interfaces using general purpose fuzzing solutions. We will also show you how you can complement these solutions with known vulnerability data and do patch verification easily and cost-effectively. Finally, we will discuss how you can tailor your defenses to block zero day attacks, which is a key aspect of vulnerability management.

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

One of the most prevalent methods used by attackers to exploit vulnerabilities is ROP - Return Oriented Programming. Many times during the exploitation process, code will run very differently than it does usually - calls will be made to the middle of functions, functions won’t return to their callers, etc. These anomalies in control flow could be detected if a log of all instructions executed by the processor were available. In the past, tracing the execution of a processor incurred a significant slowdown, rendering such an anti-exploitation method impractical. However, recent Intel processors, such as Broadwell and Skylake, are now able to trace execution with low overhead, via a feature called Processor Trace. A similar feature called CoreSight exists on new ARM processors. The lecture will discuss an anti-exploitation system we built which scans files and detects control flow violations by using these new processor features. --- Ron Shina Ron has been staring at binary code for over the past decade, occasionally running it. Having spent a lot of his time doing mathematics, he enjoys searching for algorithmic opportunities in security research and reverse engineering. He is a graduate of the Israel Defense Forces’ Talpiot program. In his spare time he works on his jump shot. --- Shlomi Oberman Shlomi Oberman is an independent security researcher with over a decade of experience in security research. Shlomi spent many years in the attacker’s shoes for different companies and knows too well how hard it is to stop a determined attacker. In the past years his interest has shifted from breaking things to helping stop exploits – while software is written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and used to head the security research efforts at NSO Group and other companies.

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

This document discusses hacking mainframe systems like IBM z/OS. It describes how the speaker was able to gain access to mainframes through methods like credential theft, exploiting vulnerabilities in programs like Tivoli NetView, and escalating privileges using tools to ultimately achieve root access. The speaker demonstrates hacking tools they have created like BIRP, TShocker, and Maintp that can be used to conduct reconnaissance of mainframes and execute code through techniques like FTP.

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.

Cloud Security with LibVMI

Cloud Security with LibVMI

Cloud Security with LibVMI

Tamas K Lengyel

The document provides a brief history of hardware security from 1982 to present day, focusing on developments like protected mode, virtualization with Xen and VT-x/AMD-V, the Intel Management Engine, SGX, and virtual machine introspection (VMI). It discusses the core concepts behind VMI including isolation, interpretation, and interposition. LibVMI is introduced as a tool for VMI that allows monitoring VM memory, translating guest virtual addresses, and placing hooks in the guest. Future directions include more guest OS and hypervisor support as well as new event types.

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Tamas K Lengyel

The document describes DRAKVUF, a dynamic malware analysis system that aims to improve scalability, fidelity, and stealthiness. It uses Xen virtualization and memory monitoring techniques like EPT to analyze malware behavior in a monitored virtual environment without the malware's knowledge. An evaluation analyzed 1000 malware samples, found key data only existed in memory, and showed throughput could be improved with memory deduplication. The system helps address issues with analyzing large malware sets but challenges remain like handling stalled code.

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

Graphic drivers and their related code are an essential component in every modern operating system. This particular component involves especially complex logic and a huge amount of code, simply because it must handle equally complex tasks. As we know from history and experience huge and complex code is often also a security risk. Last but not least, in almost all the popular modern operating system, graphics code and logic is running in a highly privileged context such as the kernel, or even in a higher context, such as VMWare graphics component, which essentially implements your graphic card outside the guest into a host process. Any mistake made into this highly privileged code can lead to a fatal outcome, especially considering that it is often reachable from interesting sandboxes, such as the browser ones. We will go through the internals for various graphic systems, to show similarities and differences, such as windows heart of graphics aka win32k, then OSX/iOS IOKit, and finally, WMWare emulated GPU graphic subsystem. We can then switch gear and showcase some vulnerabilities in these scenarios, discuss effective fuzzing methodologies both specific to a particular target and generic principles of fuzzing graphic subsystems as well.

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

This document discusses improving the communication of malware analysis by providing reproducible analyses using the malware itself. It proposes supplementing written analyses with demonstrations that instrument the malware. As a case study, it analyzes a piece of POS malware called JackPOS. The document describes setting up the malware's command and control infrastructure and memory scraping functionality. It concludes by demonstrating how to instrument the malware using Python scripts to trace its network communication and track data collection in a reproducible way.

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

This document outlines how to remotely hack Windows 95 without any user interaction or needing zero-day exploits. It lists the prerequisites as having a default installation of Windows 95 with a writable C: share and network connectivity configured. It then provides links to resources on hacking Windows 95, including a 158-page manual and blog posts walking through exploiting vulnerabilities. The goal is to achieve remote code execution on the target system using existing hacking tools.

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

ShinoBOT is a penetration testing tool that simulates a remote access tool (RAT) to measure an organization's defenses against advanced persistent threats. It connects to the ShinoC2 command and control server every 10 seconds to receive and execute jobs. ShinoC2 allows penetration testers to create jobs that are then assigned to compromised systems running ShinoBOT. The tools aim to help security teams understand what would happen if a real APT successfully installed a RAT on their network by testing incident response and log monitoring capabilities. Upcoming features for ShinoBOT include taking webcam snapshots, encrypting its communications and hiding using a kernel driver to simulate more advanced adversary techniques.

Oscp preparation

Oscp preparation

Oscp preparation

Manich Koomsusi

This document provides an overview and preparation guide for the Offensive Security Certified Professional (OSCP) certification. It begins with an introduction and outlines the agenda, which includes an overview of the OSCP, course registration details, prerequisites, an overview of the course content and lab environment, exam preparation tips, and exam details. It then provides additional exam tips, discusses what to expect after passing the OSCP exam, and recommends additional reference materials and websites. The document is intended to help those interested in understanding and preparing for the OSCP certification exam.

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.

What's hot (20)

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

Reverse Engineering the TomTom Runner pt. 1

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

Steelcon 2014 - Process Injection with Python

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

DefCamp 2013 - MSF Into The Worm Hole

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

Distributed Fuzzing Framework Design

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

Csw2016 d antoine_automatic_exploitgeneration

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

Fuzzing 101 Webinar on Zero Day Management

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

FUZZING & SOFTWARE SECURITY TESTING

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

Cloud Security with LibVMI

Cloud Security with LibVMI

Cloud Security with LibVMI

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

2016 TTL Security Gap Analysis with Kali Linux

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

XFLTReat: a new dimension in tunnelling

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

Hacking Windows 95 #33c3

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)

Oscp preparation

Oscp preparation

Oscp preparation

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

Practical Windows Kernel Exploitation

Similar to Un) fucking forensics

Security research over Windows #defcon china

Security research over Windows #defcon china

Security research over Windows #defcon china

Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Positive Hack Days

This document provides an overview of a presentation about using human interface devices like keyboards for penetration testing. The presentation covers using the Teensy microcontroller to create payloads that are executed when the device is plugged into a target system. It demonstrates writing payloads using the Kautilya toolkit to perform attacks like installing backdoors, changing system settings, gathering information, and executing code on Windows and Linux machines. The document also discusses limitations and ways to prevent attacks using malicious human interface devices.

EMBA Firmware analysis - TROOPERS22

EMBA Firmware analysis - TROOPERS22

EMBA Firmware analysis - TROOPERS22

This document introduces EMBA, a free and open-source firmware analysis tool. It describes EMBA's extraction and analysis modules that can extract firmware components like Linux filesystems, decrypt images, and analyze the firmware using tools like binwalk and Yara rules. EMBA aims to automate common firmware analysis tasks and identify security issues like outdated components, weak configurations, and potential 0-day vulnerabilities through static and dynamic analysis techniques.

Reverse Engineering Presentation.pdf

Reverse Engineering Presentation.pdf

Reverse Engineering Presentation.pdf

AbdelrahmanShaban3

This document provides an overview of reverse engineering through analyzing the Stuxnet computer worm. It describes how Stuxnet spread using Windows vulnerabilities and infected systems running Siemens industrial software. It then manipulated programmable logic controllers to potentially sabotage nuclear centrifuges in Iran. However, the document notes that while theories point to state-sponsored attacks, its true target and author remain unknown due to lack of evidence. Speculation about Stuxnet's origins and purpose are presented to demonstrate how its analysis generated many unproven narratives.

AV Evasion with the Veil Framework

AV Evasion with the Veil Framework

AV Evasion with the Veil Framework

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

Hackito Ergo Sum

Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed. Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER! https://www.hackitoergosum.org

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

Malware analysis _ Threat Intelligence Morocco

Malware analysis _ Threat Intelligence Morocco

Malware analysis _ Threat Intelligence Morocco

Touhami Kasbaoui

The document discusses two cyber threats that existed in Morocco: 1. A password info stealer malware that was responsible for 90% of attacks. Intelligence tracking detected around 180GB of leaked data related to Moroccan domains and personal information, and over 320 spammers were identified from the data with connections to Morocco. 2. An ATM dispense malware that was gathered from Moroccan internet service providers. Technical details about the ATM malware were presented, but not summarized. The document ends by stating that preparations are being made for the "next war", but does not clarify the purpose of the two threats.

2023 NCIT: Introduction to Intrusion Detection

2023 NCIT: Introduction to Intrusion Detection

2023 NCIT: Introduction to Intrusion Detection

Jason Kent - AppSec Without Additional Tools

Jason Kent - AppSec Without Additional Tools

Jason Kent - AppSec Without Additional Tools

centralohioissa

You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to catch running processes and their modules_v2.0

This document discusses fileless or memory-based malware that exists only in memory and provides recommendations for detecting and responding to it. It recommends: 1. Developing a process to monitor running processes and modules for signs of injection or unauthorized code. Tools like Log-MD-Premium can help detect these memory-only infections. 2. Enabling detailed process logging, especially of command lines, to provide visibility. Detections and hunting can then focus on suspicious process activity. 3. Extracting and analyzing files from memory dumps or live systems to identify malware artifacts and indicators through static file evaluation and string analysis.

Vulnerability, exploit to metasploit

Vulnerability, exploit to metasploit

Vulnerability, exploit to metasploit

Tiago Henriques

The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

Linux EDRs present challenges for adversaries seeking to evade detection. The document discusses several strategies and techniques for evading Linux EDRs, including: 1) Utilizing existing trusted system binaries as decoys to bypass process pattern matching. Techniques include using ld.so and busybox to launch payloads. 2) Developing "Uber preloaders" that can load modular payloads and provide command line arguments for evasion. 3) Storing payloads in volatile memory using techniques like memfd_create to avoid detection by EDRs scanning files on disk. 4) Coordinating payloads and preloaders through a "Zombie Ant Farm" module that stores

Injection on Steroids: Codeless code injection and 0-day techniques

Injection on Steroids: Codeless code injection and 0-day techniques

Injection on Steroids: Codeless code injection and 0-day techniques

This document discusses techniques for injecting code into processes without directly writing code to the target process's memory. It introduces a technique called "Trap Frame Injection" which hijacks the CPU's user mode state that is stored in trap frames during system calls. It also presents a "Codeless Code Injection" technique which builds ROP chains on the user stack and manipulates the stack pointer to trigger execution without direct code writes. Challenges with this approach like getting return values and avoiding deadlocks are also outlined along with solutions like using a device handle callback or creating a dedicated thread.

Hacking the Gateways

Hacking the Gateways

Hacking the Gateways

This document outlines a plan to hack routers by exploiting vulnerabilities. The plan involves deciding targets, finding vulnerabilities in routers like the AirTies RT series, writing exploits in MIPS assembly to achieve remote code execution, writing scripts for mass exploitation, running attacks on targets in Turkey, and analyzing results. Routers are attractive targets because they are directly internet accessible, can control all traffic once compromised, have limited logging capabilities, and rarely receive security updates.

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

Writing a working exploit for a vulnerability is generally challenging, time-consuming, and labor-intensive. To address this issue, automated exploit generation techniques can be adopted. In practice, existing techniques however exhibit an insufficient ability to craft exploits, particularly for the kernel vulnerabilities. On the one hand, this is because their technical approaches explore exploitability only in the context of a crashing process whereas generating an exploit for a kernel vulnerability typically needs to vary the context of a kernel panic. On the other hand, this is due to the fact that the program analysis techniques used for exploit generation are suitable only for simple programs but not the OS kernel which has higher complexity and scalability. In this talk, we will introduce and release a new exploitation framework to fully automate the exploitation of kernel vulnerabilities. Technically speaking, our framework utilizes a kernel fuzzing technique to diversify the contexts of a kernel panic and then leverages symbolic execution to explore exploitability under different contexts. We demonstrate that this new exploitation framework facilitates exploit crafting from many aspects. First, it augments a security analyst with the ability to automate the identification of system calls that he needs to take advantages for vulnerability exploitation. Second, it provides security analysts with the ability to achieve security mitigation bypassing. Third, it allows security analysts to automatically generate exploits with different exploitation objectives (e.g., privilege escalation or data leakage). Last but not least, it equips security analysts with an ability to generate exploits even for those kernel vulnerabilities for which the exploitability has not yet been confirmed or verified. Along with this talk, we will also release many unpublished working exploits against several kernel vulnerabilities. It should be noted that, the vulnerabilities we experimented cover primarily Use-After-Free and heap overflow. Among all these test cases, more than 50% of them do not have working exploits publicly available. To illustrate this release, I have already disclosed one working exploit at my personal website (http://ww9210.cn/). The exploit released on my site pertains to CVE-2017-15649 for which there has not yet been an exploit publicly available with the demonstration of bypassing SMAP.

Sandbox detection: leak, abuse, test - Hacktivity 2015

Sandbox detection: leak, abuse, test - Hacktivity 2015

Sandbox detection: leak, abuse, test - Hacktivity 2015

This document discusses techniques for detecting and evading malware analysis sandboxes. It begins by outlining common sandbox detection methods like checking screen resolution, installed software, CPU/system information, and network settings. It then discusses challenges like simulating sleep functions and network connections. The document emphasizes that while evading analysis is possible, manual review remains difficult to defeat. It concludes by advising blue teams to thoroughly test sandboxes and customize them to their environment before purchasing.

how-to-bypass-AM-PPL

how-to-bypass-AM-PPL

how-to-bypass-AM-PPL

The document discusses bypassing endpoint detection and response (EDR) systems. It begins with an introduction and agenda, then provides background on the evolution of endpoint security technologies. It describes how EDRs and antiviruses work, including userland hooking techniques. The document outlines various 2022 EDR bypass techniques such as direct system calls, unhooking, and .NET evasion. It focuses on researching techniques to bypass AM-PPL (Antimalware Protected Process Light) and describes how to bypass it by abusing a 2018 vulnerability in Object Manager directories.

L27

NathannyabvureMapisa

This lecture discusses principles of secure coding and lessons learned from past security incidents. It covers topics like: - Design principles like least privilege and complete mediation. - Common coding errors that led to vulnerabilities like buffer overflows. - The importance of input validation, logging, and avoiding risky functions. - Lessons from fuzz testing programs and the need for secure development practices. - Authentication techniques like hashing passwords and limiting privileges. - The role of policy, usability, and social aspects in security.

Cyber attacks 101

Cyber attacks 101

Cyber attacks 101

A software bug is an error in a computer program that produces unexpected or incorrect results. Security bugs compromise authentication, authorization, data confidentiality, or integrity. Hackers find security bugs through reverse engineering code or fuzzing software to discover vulnerabilities. An exploit is a piece of code that activates a bug to run malicious code. Shellcode is typically used as the payload in an exploit to gain control of a compromised system. Cyber attacks can target individuals, networks, or remote systems. Advanced persistent threats (APTs) are sophisticated, well-funded hacking groups that persistently target specific entities over long periods using social engineering and zero-day exploits. APT attacks involve penetrating targets, spreading to other systems, aggregating data, and covert

Similar to Un) fucking forensics (20)

Security research over Windows #defcon china

Security research over Windows #defcon china

Security research over Windows #defcon china

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

Creating Havoc using Human Interface Device

EMBA Firmware analysis - TROOPERS22

EMBA Firmware analysis - TROOPERS22

EMBA Firmware analysis - TROOPERS22

Reverse Engineering Presentation.pdf

Reverse Engineering Presentation.pdf

Reverse Engineering Presentation.pdf

AV Evasion with the Veil Framework

AV Evasion with the Veil Framework

AV Evasion with the Veil Framework

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

Malware analysis _ Threat Intelligence Morocco

Malware analysis _ Threat Intelligence Morocco

Malware analysis _ Threat Intelligence Morocco

2023 NCIT: Introduction to Intrusion Detection

2023 NCIT: Introduction to Intrusion Detection

2023 NCIT: Introduction to Intrusion Detection

Jason Kent - AppSec Without Additional Tools

Jason Kent - AppSec Without Additional Tools

Jason Kent - AppSec Without Additional Tools

You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to catch running processes and their modules_v2.0

Vulnerability, exploit to metasploit

Vulnerability, exploit to metasploit

Vulnerability, exploit to metasploit

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips

Injection on Steroids: Codeless code injection and 0-day techniques

Injection on Steroids: Codeless code injection and 0-day techniques

Injection on Steroids: Codeless code injection and 0-day techniques

Hacking the Gateways

Hacking the Gateways

Hacking the Gateways

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

Sandbox detection: leak, abuse, test - Hacktivity 2015

Sandbox detection: leak, abuse, test - Hacktivity 2015

Sandbox detection: leak, abuse, test - Hacktivity 2015

how-to-bypass-AM-PPL

how-to-bypass-AM-PPL

how-to-bypass-AM-PPL

L27

Cyber attacks 101

Cyber attacks 101

Cyber attacks 101

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing

Removing Uninteresting Bytes in Software Fuzzing

Removing Uninteresting Bytes in Software Fuzzing

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

Columbus Data & Analytics Wednesdays - June 2024

Columbus Data & Analytics Wednesdays - June 2024

Columbus Data & Analytics Wednesdays - June 2024

AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf

AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf

AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf

Techgropse Pvt.Ltd.

In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.

Taking AI to the Next Level in Manufacturing.pdf

Taking AI to the Next Level in Manufacturing.pdf

Taking AI to the Next Level in Manufacturing.pdf

Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as: 1. How quickly AI is being implemented in manufacturing. 2. Which barriers stand in the way of AI adoption. 3. How data quality and governance form the backbone of AI. 4. Organizational processes and structures that may inhibit effective AI adoption. 6. Ideas and approaches to help build your organization's AI strategy.

Infrastructure Challenges in Scaling RAG with Custom AI models

Infrastructure Challenges in Scaling RAG with Custom AI models

Infrastructure Challenges in Scaling RAG with Custom AI models

Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.

“I’m still / I’m still / Chaining from the Block”

“I’m still / I’m still / Chaining from the Block”

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

HCL Notes and Domino License Cost Reduction in the World of DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/ The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this! We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model. Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward. These topics will be covered - Reducing license cost by finding and fixing misconfigurations and superfluous accounts - How do CCB and CCX licenses really work? - Understanding the DLAU tool and how to best utilize it - Tips for common problem areas, like team mailboxes, functional/test users, etc - Practical examples and best practices to implement right away

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

Choosing The Best AWS Service For Your Website + API.pptx

Choosing The Best AWS Service For Your Website + API.pptx

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

OpenID AuthZEN Interop Read Out - Authorization

OpenID AuthZEN Interop Read Out - Authorization

OpenID AuthZEN Interop Read Out - Authorization

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

UiPath Test Automation using UiPath Test Suite series, part 6

UiPath Test Automation using UiPath Test Suite series, part 6

UiPath Test Automation using UiPath Test Suite series, part 6

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UI5 Controls simplified - UI5con2024 presentation

UI5 Controls simplified - UI5con2024 presentation

UI5 Controls simplified - UI5con2024 presentation

CAKE: Sharing Slices of Confidential Data on Blockchain

CAKE: Sharing Slices of Confidential Data on Blockchain

CAKE: Sharing Slices of Confidential Data on Blockchain

Claudio Di Ciccio

Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus. Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain. Paper: https://doi.org/10.1007/978-3-031-61000-4_16

GraphRAG for Life Science to increase LLM accuracy

GraphRAG for Life Science to increase LLM accuracy

GraphRAG for Life Science to increase LLM accuracy

GenAI Pilot Implementation in the organizations

GenAI Pilot Implementation in the organizations

GenAI Pilot Implementation in the organizations

kumardaparthi1024

Mind map of terminologies used in context of Generative AI

Mind map of terminologies used in context of Generative AI

Mind map of terminologies used in context of Generative AI

June Patch Tuesday

June Patch Tuesday

June Patch Tuesday

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Building Production Ready Search Pipelines with Spark and Milvus

Building Production Ready Search Pipelines with Spark and Milvus

Building Production Ready Search Pipelines with Spark and Milvus

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing

Removing Uninteresting Bytes in Software Fuzzing

Removing Uninteresting Bytes in Software Fuzzing

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

Columbus Data & Analytics Wednesdays - June 2024

Columbus Data & Analytics Wednesdays - June 2024

Columbus Data & Analytics Wednesdays - June 2024

AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf

AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf

AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf

Taking AI to the Next Level in Manufacturing.pdf

Taking AI to the Next Level in Manufacturing.pdf

Taking AI to the Next Level in Manufacturing.pdf

Infrastructure Challenges in Scaling RAG with Custom AI models

Infrastructure Challenges in Scaling RAG with Custom AI models

Infrastructure Challenges in Scaling RAG with Custom AI models

“I’m still / I’m still / Chaining from the Block”

“I’m still / I’m still / Chaining from the Block”

“I’m still / I’m still / Chaining from the Block”

HCL Notes and Domino License Cost Reduction in the World of DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

HCL Notes and Domino License Cost Reduction in the World of DLAU

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Choosing The Best AWS Service For Your Website + API.pptx

Choosing The Best AWS Service For Your Website + API.pptx

Choosing The Best AWS Service For Your Website + API.pptx

OpenID AuthZEN Interop Read Out - Authorization

OpenID AuthZEN Interop Read Out - Authorization

OpenID AuthZEN Interop Read Out - Authorization

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

UiPath Test Automation using UiPath Test Suite series, part 6

UiPath Test Automation using UiPath Test Suite series, part 6

UiPath Test Automation using UiPath Test Suite series, part 6

UI5 Controls simplified - UI5con2024 presentation

UI5 Controls simplified - UI5con2024 presentation

UI5 Controls simplified - UI5con2024 presentation

CAKE: Sharing Slices of Confidential Data on Blockchain

CAKE: Sharing Slices of Confidential Data on Blockchain

CAKE: Sharing Slices of Confidential Data on Blockchain

GraphRAG for Life Science to increase LLM accuracy

GraphRAG for Life Science to increase LLM accuracy

GraphRAG for Life Science to increase LLM accuracy

GenAI Pilot Implementation in the organizations

GenAI Pilot Implementation in the organizations

GenAI Pilot Implementation in the organizations

Mind map of terminologies used in context of Generative AI

Mind map of terminologies used in context of Generative AI

Mind map of terminologies used in context of Generative AI

June Patch Tuesday

June Patch Tuesday

June Patch Tuesday

Building Production Ready Search Pipelines with Spark and Milvus

Building Production Ready Search Pipelines with Spark and Milvus

Building Production Ready Search Pipelines with Spark and Milvus

Un) fucking forensics

1. (Un) Fucking Forensics Active/Passive memory hacking/debugging K2 / Director @IOACTIVE https://github.com/K2

2. About me? • Hacker for a while • inVtero.net • Memory analysis framework for Windows • Super fast/GBPS throughput • Memory integrity checking of VM’s/CrashDumps/Memory • Type aware memory hacking tool • EhTrace • Binary trace tool • Uses hook/patch-less technique for in-process debugging • Lots of other stuff

3. Outline / areas • How to forensic, how to Fuck forensics and how to un fuck it. • Intx80 AF technique on header wipe/non-resident code/trim() • How to deal with that • RoP background, how it’s used in attacks • Gargoyle attacks & how to protect against them • CloudLeech – twist on UlfFrisk DMA attacks / PCILeech • Demo of open source memory integrity platform for Windows!

4. Can you even forensic? • In general: Determine what happened. Make a timeline of known events. • “Artifacts” disk & memory (often incomplete/fragmented) used to build timeline. • How good can we do? How do we know if were done?

5. Artifact sources How attestable are they? • Time stamps from all sources to derive timeline (event logs/syslog/firewall/filesystem time, etc…) • Wevtutil - Windows Events Command Line Utility. Configure more than 1189 event log sources • SysMon (from SysInternals/Mark Russinovich) / neat config: https://github.com/SwiftOnSecurity/sysmon- config • Linux (osquery https://github.com/facebook/osquery )

6. Handling memory • Forensics meets Reverse Engineering • Dump / disassemble determine what the extent of capability the attacker possesses • I want to at least clear this guy out & find out how much damage he did • Volatility/Rekall python forensic engines • Stephen Ridley’s RE memory hacking tool: https://github.com/s7ephen/SandKit • Paper: Escaping the sandbox • GAME HACKING!  • Let’s look at what people do to cheat sometime?

7. How to F’it? • Hide really well • Wipe/Destroy logging/leave no trace/Stenography/Encrypt • Misdirect • Flood/Annoy/Make analysis so costly$$$/Obfuscate/Spoof/ • Direct Attack • DefCon 15: Breaking Forensics Software: Weaknesses in Critical Evidence Collection Chris Palmer, Alex Stamos

8. Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy:

9. Foreshadowing: normalize you’re operations • A great way to operate undetected is to ensure you are not an anomaly. • Use the resources of you’re target to conduct you’re operations. • “Configuration” attacks • Enable IPV6 tunneling & VPN access • Attacker has trusted CA capability (added their privkey to trusted list) • The more “normal” the method will be very hard to dig up

10. Int0x80’s AF counter Attack against a tool: Rekall • Prevent dumping for working More ways to get it; • Use VAD (kernel source) • Use PageTable (ABI) • Use inVtero.net • dump.py - VADDump (VAD) or Dump (PageTable)

11. RoP: More normal • RoP is an often discussed topic used mostly for exploitation • RoP uses the CPU stack semantics to execute as if it were a really large set of return statements. • This uses the code that’s already on the system more “normalized” than if you had to inject an executable payload that did not originate from the target • RoP is used by Gargoyle (Josh Lospinoso) as an example of a persistence technique that evades memory analysis systems • There is hope, we can detect RoP attacks through call chain evaluation

12. RoP is not perfect https://www.cs.columbia.edu/~angelos/Papers/theses/vpappas_thesis.pdf

13. Gargoyle persistence • Leverages a timer and blocking wait that moves it into the “active state” • Once active, stages page protection +X • Then uses this page to invoke it’s primary payload • It then mask’s the +X bit back off and goes inactive

14. Tools too defend against RoP attack? • Analysis: ROPEMU: A Framework for the Analysis of Complex Code- Reuse Attacks • Dump a complex RoP execution trace into an ELF !! Wow! • Detection: inVtero.net can perform a stack checking function against the memory dump. • Similar tools for monitoring RoP at run time (EhTrace, RoPGuard, etc…) • From the inVtero output, you really do NOT want to see the Gargoyle gadget, or anything that looks like a stack pivot

15. Injection techniques • Many variegations to achieve the same goal; • 10 Process Injection Techniques (Ashkan Hosseini/Endgame) • LoadLibrary, Hallowing, Thread hijacking, Windows Hooks, Registry keys, APC, SetWindowLong, Shims & IAT shims • Flame was a sort of hallowing attack • “hid” inside of ntdll, remained undetected for years

16. Enter DMA with PCILeech • Ulf Frisk Direct-Memory-Attack-the-Kernel: • PCILeech attacks and utility for forensics (memory) collection • Uses a variety of (very cool) techniques to execute payloads • One of the simplest is the “unlock” functionality • It’s an inline patch however • Hard to detect w/o manual reversing

17. Integrity validation • Full validation at any point in time must be able to be conducted • System state should/must be static • CPU execution will allow attackers to play games / evade read’s • RDMA • LiveMigration / Snapshotting

18. Tie it together Un F’d Memory Forensics – Remove the guesswork • Leverage wide range of information sources • Have a comprehensive global view of the data set • Appropriate countermeasures for most attackers (RoP) • Integrity checking of memory (in line patch protection) • Symbols and context for analysis of pointers • Pointer tracking becomes more significant as we can qualify their address/vector

19. Demo’s & Thank you • Check out the tools Github.com/K2