logo
allArticlesConferencesPresentations

Network Defender Archeology: An NSM Case Study in Lateral Movement with DCOM

Conference:  BlackHat EU 2018

2018-12-06

Summary

The presentation discusses the importance of endpoint data in detecting and stopping cyber threats, and the process of contributing to Wireshark to improve protocol parsing.
  • Endpoint data is crucial in detecting and stopping cyber threats, as attackers try to evade network detection
  • Detection requires relying on network data, endpoint data, and application logs
  • Contributing to Wireshark can improve protocol parsing and aid in detection
  • Tips for protocol reverse engineering include using existing dissectors and documentation, and varying attack parameters to identify properties
The presenter struggled for hours to understand the I type info operations in a protocol, but was able to fully parse and dissect them by using existing dissectors, official documentation, and varying attack parameters. This led to a contribution to Wireshark to improve protocol parsing.

Abstract

Adversaries love leveraging legitimate functionality that lays dormant inside of Microsoft Windows for malicious purposes and often disguise their activity under the smoke screen of "normal administrator behavior." Over the last year, there has been a significant surge in the malicious use of Component Object Model (COM) objects as a "living off the land" approach to lateral movement. COM, a subsystem that has been around since the early days of Microsoft Windows, exposes interfaces and functionality within software objects and has the ability to share this functionality over the network via Distributed COM (DCOM). With over 20 years in existence and over a year of relative popularity among adversaries, one would imagine that network analysis and detection of DCOM attacks was old news. On the contrary, very few people understand the techniques, tools fail to properly parse the network protocol, and adversaries continue to successfully leverage it to further the compromise of networks. Needless to say, it's difficult to defend against techniques that the defenders don't understand.This talk aims to address that knowledge gap by exploring DCOM as a lateral movement technique and provide a methodical walk through of the technique from both the attacker and defender perspectives. The audience will get a deep dive into:•[D]COM 101•How does an adversary choose a COM object for lateral movement•NSM approaches with regards to DCOM (pros vs cons)•Network protocol analysis of the attack using open source tools
Materials:
Slides
Paper
Tags:

Post a comment

Related work

Burning Bridges - Stopping Lateral Movement via the RPC Firewall

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Exploiting Windows COM/WinRT Services

Conference:  BlackHat USA 2021
Authors:
2021-08-05

Hands Off and Putting SLAB/SLUB Feng Shui in a Blackbox

Conference:  BlackHat EU 2019
Authors:
2019-12-04

PPLdump Is Dead. Long Live PPLdump!

Conference:  Black Hat Asia 2023
Authors: Gabriel Landau
2023-05-11

Vulnerability Exchange: One Domain Account For More Than Exchange Server RCE

Conference:  Defcon 29
Authors:
2021-08-01

Defender-Pretender: When Windows Defender Updates Become a Security Risk

Conference:  Defcon 31
Authors: Tomer Bar VP of security research @ SafeBreach, Omer Attias Security Researcher @ SafeBreach
2023-08-01