Dates
Conferences
Tags
Sort by:
Most recent
Conference: Defcon 31
Authors: David Leadbeater Open Source Engineer, G-Research
2023-08-01
It is 60 years since the first publication of the ASCII standard, something we
now very much take for granted. ASCII introduced the Escape character;
something we still use but maybe don't think about very much. The terminal is a
tool all of us use. It's a way to interact with nearly every modern operating
system. Underneath it uses escape codes defined in standards, some of which
date back to the 1970s.
Like anything which deals with untrusted user input, it has an attack surface.
20 years ago HD Moore wrote a paper on terminal vulnerabilities, finding
multiple CVEs in the process. I decided it was time to revisit this class of
vulnerability.
In this talk I'll look at the history of terminals and then detail the issues I
found in half a dozen different terminals. Even Microsoft who historically
haven't had strong terminal support didn't escape a CVE. In order to exploit
these vulnerabilities they often need to be combined with a vulnerability in
something else. I'll cover how to exploit these vulnerabilities in multiple
ways.
Overall this research found multiple remote code execution vulnerabilities
across nearly all platforms and new unique ways to deliver the exploits.
Conference: Defcon 31
Authors: Ceri Coburn Red Team Operator & Offensive Security Dev @ Pen Test Partners
2023-08-01
The Windows Active Directory authority and the MIT/Heimdal Kerberos stacks found on Linux/Unix based hosts often coexist in harmony within the same Kerberos realm. This talk and tool demonstration will show how this marriage is a match made in hell. Microsoft's Kerberos stack relies on non standard data to identify it's users. MIT/Heimdal Kerberos stacks do not support this non standard way of identifying users. We will look at how Active Directory configuration weaknesses can be abused to escalate privileges on *inux based hosts joined to the same Active Directory authority. This will also introduce an updated version of Rubeus to take advantage of some of these weaknesses.
Conference: Defcon 31
Authors: Tomer Bar VP of security research @ SafeBreach, Omer Attias Security Researcher @ SafeBreach
2023-08-01
The signature update process is critical to EDR's effectiveness against emerging threats.
The security update process must be highly secured, as demonstrated by the Flame malware attack that leveraged a rogue certificate for lateral movement. Nation-state capabilities are typically required for such an attack, given that signature update files are digitally signed by Microsoft.
We wondered if we could achieve similar capabilities running as an unprivileged user without possessing a rough certificate, instead we aimed to turn the original Windows Defender process to our full control.
In this talk we will deep dive into Windows Defender architecture, the signature database format and the update process, with a focus on the security verification logic.
We will explain how an attacker can completely compromise any Windows agent or server, including those used by enterprises, by exploiting a powerful 0day vulnerability that even we didn't expect to discover.
We will demonstrate Defender-Pretender, a tool we developed to achieve neutralization of the EDR. allowing any already known malicious code to run Fully Un-Detected. It can also force Defender to delete admin’s data. OS and driver files, resulting in an unrecoverable OS. We will also explain how an attacker can alter Defender's detection and mitigation logic.
Conference: Defcon 31
Authors: nyxgeek hacker at TrustedSec
2023-08-01
Microsoft Azure is ripe with user information disclosures. We are going to look at weaponizing these disclosures by performing data collection at a large scale against OneDrive, Teams, and Graph.
OneDrive and Teams present silent enumeration methods, requiring no logon attempts and creating no logs. This enables enumeration at a massive scale against the biggest corporations, educational instututes, and government entities in the world. Over the last 1.5 years I have enumerated over 20m users. We will explore the techniques used and the data that was collected, including Azure adoption rates and analysis of username formats.
Microsoft Teams suffers from information dislcosure due to default settings allowing users to see the online presence of others. An undocumented, unauthenticated Microsoft Teams Presence lookup trick will be shared, which enables easy unauthenticated enumeration of the online Teams Presence of users at many organizations. To demonstrate this we will monitor approximately 100,000 Microsoft employees' online presence and any out-of-office messages that are stored.
Finally, Azure supports Guest users, allowing two companies to collaborate on a project. I will unveil a method of identifying Azure Guest users at other tenants. In this way, hidden corporate relationships can be revealed.
Conference: Black Hat Asia 2023
Authors: John Uhlmann
2023-05-12
Memory scanning is a defensive necessity on Windows systems. Microsoft has not provided executable memory manager kernel callbacks and user-mode hooks are fragile, so defenders have deployed periodic memory scanning to compensate. Attackers have responded by obfuscating their code during periods of inactivity to avoid these scanners. Gargoyle was the first public example, but many toolkits have implemented variations since.In this talk, we describe three approaches to uncovering such hidden shellcode.Firstly we explore using the Control Flow Guard (CFG) bitmap to detect executable memory hidden by memory region protection fluctuations. We will then demonstrate using memory manager kernel ETW for runtime detection of violations of the immutable code page principle. Finally, we will show how to use kernel telemetry to construct normalised process behaviour profiles. These syscall summaries are roughly the runtime equivalent of the Import Table and can be used for highly scalable detection of outlier process behaviour. Both tools, the CFG bitmap guided memory scanner and the runtime behaviour monitor and profiler, will be released.
Conference: Global AppSec Dublin 2023
Authors: Sarah-Jane Madden
2023-02-15
tldr - powered by Generative AI
The presentation discusses the challenges and solutions in implementing threat modeling in established software development teams, particularly during the COVID-19 pandemic.
- Established software development teams may have difficulty in implementing threat modeling due to their existing processes and lack of security expertise.
- To address this, it is important to provide benefits and scope of threat modeling, as well as point to similar organizations that have successfully implemented it.
- Threat modeling should be integrated into the software development process and not treated as a separate tool.
- Facilitated sessions can help teams overcome challenges in implementing threat modeling, particularly during remote work situations.
Conference: Global AppSec San Francisco 2022
Authors: Michael Bargury
2022-11-17
Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines or Office cloud, executed successfully and reports back to the cloud. You can probably already see where this is going.In this presentation, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services.We will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how it is enabled by-default and can be used without explicit user consent. We will also point out a few promising future research directions for the community to pursue.Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.
Conference: Transform X 2022
Authors: Lila Tretikov, John Maeda
2022-10-19
Deputy CTO of Microsoft and former CEO of Wikipedia, Lila Tretikov, joins John Maeda, CTO of Everbridge, to discuss how AI impacts humanity and how to best leverage this technology to grow. They will discuss the evolution of art and artists' role in the age of AI. Lila will discuss how Large Language Models (LLMs) are redefining how we interact with machines today and how advances in this technology will enable non-developers to build applications and immersive experiences with simply a prompt. Lila and John will explore AR/VR/XR, practical applications for headsets like Microsoft's hololens, and how this technology will evolve in the future. Lila and John also draw on their vast experience to outline the most impactful business applications of machine learning technology today.They also discuss how AI mirrors humanity and the importance of being intentional about what data we use to train our models to enhance ourselves best. We think of AI as learning from us. But in its growing capacity to extend beyond any person's memory, computing, or even historical lifetime, it enables us to explore the sum of all human knowledge and to further simulate the possibilities of our future.
Conference: Transform X 2022
Authors: Nat Friedman, Alexandr Wang
2022-10-19
tldr - powered by Generative AI
The speaker discusses the emergence of AI capabilities and the need for product development to bridge the gap between research and practical applications. They also touch on the potential for startups to build new products and the challenges of incumbents in adopting generative AI technology.
- AI capabilities have created new opportunities for product development
- Product development requires a level of tinkering and creativity to find the intersection between new capabilities and user needs
- Language is an AGI complete problem with a lot of potential value to be unlocked
- Models are becoming more accessible and less brittle, making them easier to use for product development
- Startups have an opportunity to build new products that don't fit neatly into existing categories
- Incumbents face challenges in adopting generative AI technology due to reputational risk and the potential for offensive content
- The emergence of AI capabilities is not a joke and may be bad news for startups
- The moat for startups may be in the application or workflow rather than the model itself
Conference: OpenAI + Data Forum 2022
Authors: Sean Owen
2022-06-22
Issues of "fairness" in machine learning are rightfully at the forefront today. It's not enough to have an accurate model; practitioners increasingly need to assess when and why a predictive model's results are unfair, often to groups of people. While much has already been said about detecting unfairness or bias, relatively less attention has been given to what to do about it. My model output is "unfair"; now what? This session will examine how open source tools like SHAP and Microsoft's Fairlearn can be used to actually correct for model bias. It will also discuss what "fair" even means and the tradeoffs that different answers imply. In the accompanying technical demo, these tools will be used, along with xgboost and MLflow, to show how two different mitigation strategies can be retrofit to modeling pipelines.