logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: David Leadbeater Open Source Engineer, G-Research
2023-08-01

It is 60 years since the first publication of the ASCII standard, something we now very much take for granted. ASCII introduced the Escape character; something we still use but maybe don't think about very much. The terminal is a tool all of us use. It's a way to interact with nearly every modern operating system. Underneath it uses escape codes defined in standards, some of which date back to the 1970s. Like anything which deals with untrusted user input, it has an attack surface. 20 years ago HD Moore wrote a paper on terminal vulnerabilities, finding multiple CVEs in the process. I decided it was time to revisit this class of vulnerability. In this talk I'll look at the history of terminals and then detail the issues I found in half a dozen different terminals. Even Microsoft who historically haven't had strong terminal support didn't escape a CVE. In order to exploit these vulnerabilities they often need to be combined with a vulnerability in something else. I'll cover how to exploit these vulnerabilities in multiple ways. Overall this research found multiple remote code execution vulnerabilities across nearly all platforms and new unique ways to deliver the exploits.
Conference:  Defcon 31
Authors: Ceri Coburn Red Team Operator & Offensive Security Dev @ Pen Test Partners
2023-08-01

The Windows Active Directory authority and the MIT/Heimdal Kerberos stacks found on Linux/Unix based hosts often coexist in harmony within the same Kerberos realm. This talk and tool demonstration will show how this marriage is a match made in hell. Microsoft's Kerberos stack relies on non standard data to identify it's users. MIT/Heimdal Kerberos stacks do not support this non standard way of identifying users. We will look at how Active Directory configuration weaknesses can be abused to escalate privileges on *inux based hosts joined to the same Active Directory authority. This will also introduce an updated version of Rubeus to take advantage of some of these weaknesses.
Conference:  Defcon 31
Authors: Tomer Bar VP of security research @ SafeBreach, Omer Attias Security Researcher @ SafeBreach
2023-08-01

The signature update process is critical to EDR's effectiveness against emerging threats. The security update process must be highly secured, as demonstrated by the Flame malware attack that leveraged a rogue certificate for lateral movement. Nation-state capabilities are typically required for such an attack, given that signature update files are digitally signed by Microsoft. We wondered if we could achieve similar capabilities running as an unprivileged user without possessing a rough certificate, instead we aimed to turn the original Windows Defender process to our full control. In this talk we will deep dive into Windows Defender architecture, the signature database format and the update process, with a focus on the security verification logic. We will explain how an attacker can completely compromise any Windows agent or server, including those used by enterprises, by exploiting a powerful 0day vulnerability that even we didn't expect to discover. We will demonstrate Defender-Pretender, a tool we developed to achieve neutralization of the EDR. allowing any already known malicious code to run Fully Un-Detected. It can also force Defender to delete admin’s data. OS and driver files, resulting in an unrecoverable OS. We will also explain how an attacker can alter Defender's detection and mitigation logic.
Conference:  Defcon 31
Authors: nyxgeek hacker at TrustedSec
2023-08-01

Microsoft Azure is ripe with user information disclosures. We are going to look at weaponizing these disclosures by performing data collection at a large scale against OneDrive, Teams, and Graph. OneDrive and Teams present silent enumeration methods, requiring no logon attempts and creating no logs. This enables enumeration at a massive scale against the biggest corporations, educational instututes, and government entities in the world. Over the last 1.5 years I have enumerated over 20m users. We will explore the techniques used and the data that was collected, including Azure adoption rates and analysis of username formats. Microsoft Teams suffers from information dislcosure due to default settings allowing users to see the online presence of others. An undocumented, unauthenticated Microsoft Teams Presence lookup trick will be shared, which enables easy unauthenticated enumeration of the online Teams Presence of users at many organizations. To demonstrate this we will monitor approximately 100,000 Microsoft employees' online presence and any out-of-office messages that are stored. Finally, Azure supports Guest users, allowing two companies to collaborate on a project. I will unveil a method of identifying Azure Guest users at other tenants. In this way, hidden corporate relationships can be revealed.
Conference:  Black Hat Asia 2023
Authors: John Uhlmann
2023-05-12

Memory scanning is a defensive necessity on Windows systems. Microsoft has not provided executable memory manager kernel callbacks and user-mode hooks are fragile, so defenders have deployed periodic memory scanning to compensate. Attackers have responded by obfuscating their code during periods of inactivity to avoid these scanners. Gargoyle was the first public example, but many toolkits have implemented variations since.In this talk, we describe three approaches to uncovering such hidden shellcode.Firstly we explore using the Control Flow Guard (CFG) bitmap to detect executable memory hidden by memory region protection fluctuations. We will then demonstrate using memory manager kernel ETW for runtime detection of violations of the immutable code page principle. Finally, we will show how to use kernel telemetry to construct normalised process behaviour profiles. These syscall summaries are roughly the runtime equivalent of the Import Table and can be used for highly scalable detection of outlier process behaviour. Both tools, the CFG bitmap guided memory scanner and the runtime behaviour monitor and profiler, will be released.
Authors: Sarah-Jane Madden
2023-02-15

tldr - powered by Generative AI

The presentation discusses the challenges and solutions in implementing threat modeling in established software development teams, particularly during the COVID-19 pandemic.
  • Established software development teams may have difficulty in implementing threat modeling due to their existing processes and lack of security expertise.
  • To address this, it is important to provide benefits and scope of threat modeling, as well as point to similar organizations that have successfully implemented it.
  • Threat modeling should be integrated into the software development process and not treated as a separate tool.
  • Facilitated sessions can help teams overcome challenges in implementing threat modeling, particularly during remote work situations.
Authors: Michael Bargury
2022-11-17

Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines or Office cloud, executed successfully and reports back to the cloud. You can probably already see where this is going.In this presentation, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services.We will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how it is enabled by-default and can be used without explicit user consent. We will also point out a few promising future research directions for the community to pursue.Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.