Sort by:  

Conference:  Defcon 31
Authors: Tamas Jos (SkelSec) Principal Security Consultant, Sec-Consult AG

Spooky authentication at a distance outlines a new and innovative post-exploitation technique to proxy common authentication protocols used in Windows environments remotely and with no elevated privileges required. This allows security professionals to perform complete impersonation of the target user on their own machine without executing any further code on the target machine besides the agent itself. This talk will also demonstrate the applicability of this new technique by performing no-interaction, full domain takeover using a malicious peripheral in a simulated restricted environment.
Conference:  Black Hat Asia 2023
Authors: Gabriel Landau

The Windows Protected Process Light (PPL) mechanism hardens anti-malware and critical Windows services against tampering, even by administrators. This special status is guarded by the Windows Code Integrity (CI) subsystem which ensures that PPL processes will only run code with special signatures from Microsoft or trusted vendors.PPL has a history of bypasses. The most notorious is PPLdump, a turnkey user mode tool that exploits a Windows vulnerability to achieve arbitrary PPL code execution and dump any PPL process. This can be used to dump the Windows credential store, LSASS, enabling lateral movement. PPLdump is open source, making it easy to alter the payload to perform other privileged actions such as disabling security software.PPL bypasses are particularly interesting because Microsoft considers PPL a defense-in-depth measure, not a formal security boundary, so these bugs do not qualify for patches. This can result in long-lived vulnerabilities with real-world impact and no patch in sight. The vulnerability underlying and predating PPLdump was publicly disclosed in 2018, but Microsoft didn't patch it until 2022, over a year after PPLdump's 2021 release.In this talk, we'll review PPL's design, as well as some historical exploits and their mitigations. Next, we'll describe a few new attacks against PPL, including a design flaw in CI that enables unsigned fully-privileged PPL code execution without kernel exploitation. We will demonstrate this flaw and release two tools that exploit it. The first is a pure-usermode PPL process dumper, similar to PPLdump. The second tool demonstrates how this vulnerability effectively grants full read-write access to physical memory. Finally, we will release code that anti-malware vendors can employ to mitigate this type of attack and discuss a few changes to Windows that could stop it entirely.
Authors: Julian Portillo

tldr - powered by Generative AI

Challenges and considerations in migrating Windows workloads to Kubernetes
  • Migrating Windows workloads to Kubernetes requires paying back tech debt and adjusting architecture
  • Scaling up Windows containers can lead to long pull times and node failures
  • There is a lack of common open source tools for Windows containers
  • Performance testing and system design changes can help mitigate migration pains
Authors: Amim Knabben, Xinqi Li

tldr - powered by Generative AI

The presentation discusses the use of Sona boy plugin to run Windows operational readiness tests in Kubernetes clusters.
  • The Sona boy plugin can be used to run Windows operational readiness tests in Kubernetes clusters.
  • The plugin can be used inside the cluster instead of running the tests outside the software.
  • The plugin can be used to parse and extract results and give a summary of the results.
  • The plugin can be used to publish the latest Sona boy image of the project on the GCR bucket Upstream.
  • The plugin can be used to bootstrap a Windows cluster locally using Windows Dev tools.
  • The plugin can be integrated with Pro jobs to run the tests and bring up the results of changes in the project.
  • The plugin can be used with Cappy to bring up a new workload cluster in the hybrid view or Windows view.
  • The plugin can be used with runtime extensions and closer class to execute commands or operations in the lifecycle of a cluster.
Authors: Jay Vyas, Dimitrie Mititelu, James Sturtevant, Mark Rossetti

In this maintainer track talk we'll cover what is new with SIG-Windows and will provide updates on our ongoing projects such as HostProcessContainers, KubeProxyNextGen support, perf testing and more!
Authors: Agustín Martínez Fayó, Marcos Yacob

tldr - powered by Generative AI

The presentation discusses the use of Spire and Spiffe in securing containerized applications on Windows servers.
  • Spire and Spiffe are open-source tools used for securing containerized applications
  • The presentation demonstrates the successful communication between different containerized applications using Spire and Spiffe on Windows servers
  • The presenter discusses the challenges faced in implementing Spire and Spiffe on Windows servers, particularly in obtaining information about running containers
  • Future plans include making Spire and Spiffe work on Kubernetes and supporting different programming languages
Authors: Jay Vyas, Claudiu Belu, Mark Rossetti, Brandon Smith

Running Kubernetes on Windows is increasingly a viable production strategy for complex applications in multitenant environments. In this presentation we'll highlight recent improvements - such as the pod.OS field and advancements in host-process containers for infrstractuure - that make it easier to manage production clusters/workloads, show people how to rapidly prototype the development of new Kubernetes features using the SIG-Windows developer tools project, and also do a deep-dive into how container users work on Windows.Click here to view captioning/translation in the MeetingPlay platform!
Authors: Nic Jackson, Praveen Balasubramanian, Kalya Subramanian, Sotiris Nanopoulos

Learn about the ongoing efforts to enable Service Mesh on the Windows platform, what it can do now, and what is coming next. Learn how to configure the Windows networking stack to redirect traffic to a sidecar proxy. Understand the differences between Windows and Linux platform support. Learn how to configure and deploy Envoy as a sidecar proxy. Finally, watch all the above working together on a live demo of Open Service Mesh (OSM) on Windows.
Authors: Jay Vyas, Friedrich Wilken, Danny Canter, Brandon Smith

tldr - powered by Generative AI

Updates on bringing Windows workloads to Kubernetes, including recent improvements, planned future improvements, and new development tooling.
  • CSI plugin support for Windows is now generally available
  • Host process containers (equivalent of privileged containers on Linux) hit alpha in 1.22
  • Pursuing a way to identify Windows pods at API admission time
  • Enhancement to view node logs with kubectl logs
  • Windows Server 2022 offers enhanced container platform with faster download and startup times, improved app compatibility, and consistent network policy with Calico
  • New Windows developer environment to make it easier to spin up Windows clusters