Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go :(" [rooted2019]

•

3 recomendaciones•919 vistas

RootedCON

Tecnología

The Art of Persistence:
Mr. Windows… I don’t wanna go
:(
Sheila Ayelen Berta (@UnaPibaGeek)

@UnaPibaGeek
Sheila A. Berta - @UnaPibaGeek
Offensive Security Researcher
A little bit more:
Developer ASM (Microcontrollers & Microprocessors x86/x64), C/C++, Go & Python.
Speaker at Black Hat Briefings, DEFCON, Ekoparty, HITB, etc ….. and RootedCon! :D

@UnaPibaGeek
“run keys” since long time ago…
HKCUSoftwareMicrosoftWindowsCurrentVersionRun

@UnaPibaGeek
“run keys” since long time ago…
…CurrentVersionPoliciesExplorerRun
…CurrentVersionExplorerShell Folders

@UnaPibaGeek
The Art of Persistence
Welcome to…

@UnaPibaGeek
COM Objects…
- C++ class
- Out of Process / In-Process
In-Process

@UnaPibaGeek
Globally Universal Identifier (GUID)…
16bytes array (GUID)- CLSID

@UnaPibaGeek
Windows Registry…
HKLMSoftwareClassesCLSID<GUID>
HKCUSoftwareClassesCLSID<GUID>

@UnaPibaGeek
Windows Registry…
InprocServer32 / InprocServer / InprocHandler32 / InprocHandler

@UnaPibaGeek
Persistence
via
Shell Extensions

@UnaPibaGeek
Shell Extension Handlers… (registry)
- System-wide (HKLMSoftwareClasses*shellex)

@UnaPibaGeek
Shell Extension Handlers… (registry)
- Current User (HKCUSoftwareClasses*shellex)
NO ADMIN PRIVILEGES REQUIRED

@UnaPibaGeek
Registering our own Shell Extension

@UnaPibaGeek
Malicious Shell Extension to persist
Registry Key 1
Registry Key 2
Malware downloader

@UnaPibaGeekSheila A. Berta - @UnaPibaGeek

@UnaPibaGeek
To sum up…
- Shell Extensions can be used to malware persistence.
- Attacker does not need admin privileges.
- Stealthy method!
Recommendation…
- Use PowerShell. Because it’s a trust binary for Windows. So, it let
you write the registry without restrictions.

@UnaPibaGeek
NO ADMIN PRIVILEGES REQUIRED
COM Hijack fundamentals…
HKLMSoftwareClassesCLSID
<GUID>
InprocServer32
(Default) = C:PathToDLL
HKCUSoftwareClassesCLSID
<GUID>
InprocServer32
(Default) = C:PathToDLL
Right COM Path:
First search:
POSSIBLE HIJACK
NOT FOUND

@UnaPibaGeek
HKCR Poisoning…
HKLMSoftwareClasses HKCUSoftwareClasses
HKEY_CLASSES_ROOT
NO ADMIN PRIVILEGES REQUIRED

@UnaPibaGeek
“Native” COM hijack…
(Windows 10)

@UnaPibaGeek
To sum up…
- Apps and native COM objects vulnerable to COM hijack
can be used to malware persistence.
- Attacker does not need admin privileges.
- Super Stealthy method!!
Remember…
- Use PowerShell to bypass restrictions :-)

@UnaPibaGeek
Persistence
via
Extension Handler
Hijack

@UnaPibaGeek
Extension Handler Hijack… with proxy!

@UnaPibaGeek
To sum up…
- Extension Handlers can be hijacked to malware persistence.
- Attacker does not need admin privileges.
- Super Stealthy method!!
- Powershell is not necessary, HKU registry can be edited
without restrictions :-)

@UnaPibaGeek
Conclusions…
Features of Windows can be
abused to make malware
persistence stealthier

Thank you!
Sheila Ayelen Berta (@UnaPibaGeek)

Más contenido relacionado

La actualidad más candente

The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products. I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.

Pwning the Enterprise With PowerShell

Beau Bullock

BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo

Andy Robbins

PowerShell for Practical Purple Teaming

Nikhil Mittal

DerbyCon 2019 - Kerberoasting Revisited

Will Schroeder

Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems? In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.

Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon

Jérôme Petazzoni

Hunting for Privilege Escalation in Windows Environment

Teymur Kheirkhabarov

[2A1]Line은 어떻게 글로벌 메신저 플랫폼이 되었는가

NAVER D2

Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.

Carlos García - Pentesting Active Directory [rooted2018]

RootedCON

PSConfEU - Offensive Active Directory (With PowerShell!)

Will Schroeder

This is my talk from OWASP Appsec EU and also Security Fest 2017. A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.

DNS hijacking using cloud providers – No verification needed

Frans Rosén

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

Will Schroeder

Hunting Lateral Movement in Windows Infrastructure

Sergey Soldatov

0wn-premises: Bypassing Microsoft Defender for Identity

Nikhil Mittal

PowerShell for Penetration Testers

Nikhil Mittal

View full webinar on demand at http://bit.ly/nginxbenchmarking Whether you’re doing performance testing or planning for infrastructure needs, benchmarking can be a big deal. Join us for this webinar where we cover NGINX benchmarking best practices, including: - the test environment - configuring NGINX - using benchmarking tools - and more! You’ll learn how to approach doing benchmarks so that you obtain results that are more accurate, better understood, and do a better job of addressing the needs of your project.

Benchmarking NGINX for Accuracy and Results

NGINX, Inc.

Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.

SpecterOps Webinar Week - Kerberoasting Revisisted

Will Schroeder

Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.

Hackazon realistic e-commerce Hack platform

Ihor Uzhvenko

External to DA, the OS X Way

Stephan Borosh

BloodHound: Attack Graphs Practically Applied to Active Directory

Andy Robbins

ReCertifying Active Directory

Will Schroeder

La actualidad más candente (20)

Pwning the Enterprise With PowerShell

BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo

PowerShell for Practical Purple Teaming

DerbyCon 2019 - Kerberoasting Revisited

Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon

Hunting for Privilege Escalation in Windows Environment

[2A1]Line은 어떻게 글로벌 메신저 플랫폼이 되었는가

Carlos García - Pentesting Active Directory [rooted2018]

PSConfEU - Offensive Active Directory (With PowerShell!)

DNS hijacking using cloud providers – No verification needed

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

Hunting Lateral Movement in Windows Infrastructure

0wn-premises: Bypassing Microsoft Defender for Identity

PowerShell for Penetration Testers

Benchmarking NGINX for Accuracy and Results

SpecterOps Webinar Week - Kerberoasting Revisisted

Hackazon realistic e-commerce Hack platform

External to DA, the OS X Way

BloodHound: Attack Graphs Practically Applied to Active Directory

ReCertifying Active Directory

Similar a Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go :(" [rooted2019]

IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is the open-source firmware scanner, created by penetration testers for penetration testers. Project page: https://github.com/e-m-b-a/emba Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596

EMBA - Firmware analysis - Black Hat Arsenal USA 2022

MichaelM85042

Software geeks fear hardware. It's a fact of life: code is easy to write and easy to change, but hardware catches on fire if you put it together wrong. But this is changing! Hardware is becoming cheaper and easier to work with every day and can often be managed with the same tools you use to deploy code to the cloud. Join self-described software guy and hardware-phobe Ronald McCollam for a guided trip from the safe world of web development to the scary lands of hardware and back again. We'll see how easy it can be to make the leap from managed code to microprocessors!

Taking the hard out of hardware

Ronald McCollam

Not a lot was said about adware, especially not about adware for Mac. Adware is usually dismissed for being too benign and not interesting. After all – it just displays ads. But what if you were hit with an aggressive variant with malware-like features that has root access to your machine and has the ability to do what ever its creators wanted it to do? A Mac OS X port of the Pirrit adware includes properties like hidden users, traffic redirection, persistence, and weird DGA-looking domains, all showing that an aggressive malvertiser is now targeting Macs. In the case of OSX.Pirrit, it uses simple social engineering to escalate its privileges and eventually take total control of your Mac. And with control of your machine, Pirrit’s creators could have done pretty much anything, like stolen your company’s secret sauce or installed a keylogger to capture the log-in credentials for your bank account. The creators of Pirrit were trying very hard to avoid being detected by antiviruses, personal firewalls and even from some advanced users. In this talk, we’ll review OSX/Pirrit, dissect its methods and show it could have carried out much more sinister activities besides bombard a browser with ads.

OSX/Pirrit: The blue balls of OS X adware

Amit Serper

Porting your favourite cmdline tool to Android

Vlatko Kosturjak

The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense. "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War

Understand study

Antonio Costa aka Cooler_

Cracking Into Embedded Devices - HACK.LU 2K8

guest441c58b71

Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis. Project page: https://github.com/e-m-b-a/emba Conference page: https://forum.defcon.org/node/242109

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

MichaelM85042

Advances in Open Source Password Cracking

n|u - The Open Security Community

KeyLoggers - beating the shit out of keyboard since quite a long time

n|u - The Open Security Community

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...

Felipe Prado

White Lightning Sept 2014

Bryce Kunz

Protect Your Payloads: Modern Keying Techniques

Leo Loobeek

Cryptocurrencies Hardware Wallets - 33C3 Bitcoin Assembly

Eric Larcheveque

Hacking - high school intro

Peter Hlavaty

Basic presentation of cryptography mechanisms

Marian Marinov

Adware isn’t taken seriously, especially threats targeting Macs. But OSX Pirrit, which can obtain root access and has components found in malware, shows that adware can become a huge security issue. Amit Serper will explain how OSX Pirrit works, why security professionals may want to rethink how commodity threats are handled and why Macs aren’t as secure as people think. (Source : RSA Conference USA 2017)

OSX Pirrit : Why you should care about malicious mac adware

Priyanka Aash

"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary. In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."

Breaking Smart Speakers: We are Listening to You.

Priyanka Aash

Eight Rules for Making Your First Great Game

Nick Pruehs

TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around. In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below: 1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse 2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit 3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse 4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools. The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.

[CB20] Operation I am Tom: How APT actors move laterally in corporate network...

CODE BLUE

groovy & grails - lecture 6

Alexandre Masselot

Similar a Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go :(" [rooted2019] (20)

EMBA - Firmware analysis - Black Hat Arsenal USA 2022

Taking the hard out of hardware

OSX/Pirrit: The blue balls of OS X adware

Porting your favourite cmdline tool to Android

Understand study

Cracking Into Embedded Devices - HACK.LU 2K8

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

Advances in Open Source Password Cracking

KeyLoggers - beating the shit out of keyboard since quite a long time

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...

White Lightning Sept 2014

Protect Your Payloads: Modern Keying Techniques

Cryptocurrencies Hardware Wallets - 33C3 Bitcoin Assembly

Hacking - high school intro

Basic presentation of cryptography mechanisms

OSX Pirrit : Why you should care about malicious mac adware

Breaking Smart Speakers: We are Listening to You.

Eight Rules for Making Your First Great Game

[CB20] Operation I am Tom: How APT actors move laterally in corporate network...

groovy & grails - lecture 6

Más de RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde

RootedCON

rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...

RootedCON

Rooted2020 hunting malware-using_process_behavior-roberto_amado

RootedCON

Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_

RootedCON

Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...

RootedCON

Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...

RootedCON

Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...

RootedCON

Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer

RootedCON

rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...

RootedCON

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy

RootedCON

Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...

RootedCON

Rooted2020 virtual pwned-network_-_manel_molina

RootedCON

Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...

RootedCON

Rooted2020 todo a-siem_-_marta_lopez

RootedCON

Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero

RootedCON

Rooted2020 live coding--_jesus_jara

RootedCON

Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...

RootedCON

Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...

RootedCON

Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste

RootedCON

Rooted2020 encontrando 0days-en_2020_-_antonio_morales

RootedCON

Más de RootedCON (20)