SlideShare une entreprise Scribd logo

Bypassing Windows Security Functions(en)

Télécharger en tant que PPTX, PDF
A
abend_cve_9999_0001

Bypassing Windows Security Functions(en)

Ingénierie
1  sur  77
Windows Security Functions - To make only one wish - CODE BLUE 2018 1
Profile Satoshi Ogawa Mitsui Bussan Secure Direction(MBSD) Twitter:abend@number3to4 Burp Suite Japan User Group ISOG-WG1 CODE BLUE 2018 2
Profile Speaker • OWASP DAY 2014 • July Tech Festa 2015, 2017 • AVTOKYO2016 • Financials ISAC Japan Conference 2018 Writing • Software Design CODE BLUE 2018 3
Background I have done penetration tests at many companies, and I’ve Windows security functions at each company. CODE BLUE 2018 4
Things to inform in this session is not always detected and blocked, so I wanted to say that it’s important to only not enable security functions, but to implement multilayered defense, such as strengthening monitoring. CODE BLUE 2018 5
Penetration Test We suppose the scenario, and test from the point of intrusion into servers and network devices. Firewall Attack from internet Inside Jobs Take over Attack ・ what kind of authority ・ what we can do Impact CODE BLUE 2018 6
The Penetration Test scenarios There are cases where we investigate whether or not we can intrude servers assuming malware infection caused by Advanced Persistent Threats (APTs). Firewall PC & Domain User Tester User SegmentServer Segment IPS Access Internet Tester Access CODE BLUE 2018 7
View of attacker In APTs, since an attacker with a clear intention and purpose intends to steal information from a specific organization, we assume that even if there are restricted by security functions, they will bypass and accomplish their purpose. authentication and intrude security function restrictions ..etc CODE BLUE 2018 8
View of attacker In APTs, since an attacker with a clear intention and purpose intends to steal information from a specific organization, we assume that even if there are restricted by security functions, they will bypass and accomplish their purpose. authentication and intrude security function restrictions ..etc CODE BLUE 2018 9 This Session
Steps in APT Preparation Intrusion Lateral Movement Action • Gathering information from Target • Intrusion into Target • Intrusion into the important servers • Stealing confidential information and hiding log CODE BLUE 2018 10
Steps in APT “Preparation“ doesn’t concern so I won’t talk about it this time. Preparation Intrusion Lateral Movement Action CODE BLUE 2018 11
Steps in APT Preparation Intrusion Lateral Movement has to do with anti-viruses and monitoring, but I won’t talk about it this time. CODE BLUE 2018 12 Action
Steps in APT I’ll be talking about which may be used when intruding PCs etc. Preparation Intrusion Lateral Movement Action CODE BLUE 2018 13
Lateral Movement • Operation in the intruded PCs • Searching for other vulnerable PCs and expanding intrusion • Intrusion into servers using the collected information Gathering informationOperation Intrusion into servers CODE BLUE 2018 14
Lateral Movement https://attack.mitre.org/wiki/Lateral_Movement • AppleScript • Application Deployment Software • Distributed Component Object Model • Replication Through Removable Media • Windows Remote Management • Exploitation of Vulnerability • Remote Desktop Protocol • Remote File Copy • Logon Scripts • Pass the Hash • SSH Hijacking • Shared Webroot • Remote Services • Taint Shared Content • Third-party Software • Windows Admin Shares Japanese https://github.com/abend9999/lateralmovement CODE BLUE 2018 15
How to protect Windows There are security functions to protect Windows against various attack methods. • AppLocker • Software Restriction Policy • Windows Defender • UAC (User Account Control) ..etc CODE BLUE 2018 16
Security restrictions on Windows • Cannot install application (excluding PowerUser) • Cannot change PC setting • Cannot execute applications that are inadequate for business • Do not grant local administrator authority • Restricts execution of specific applications CODE BLUE 2018 17 Result
AppLocker control object Based on the publisher, file path, and file hash , AppLocker currently supports the following file extensions. • Executables (.exe, .com) • Windows Installers (.msi, .mst, .msp) • Scripts (.vbs, .js, .ps1, .cmd, .bat) • Dlls (.ocx, .dll) • Packaged app installers (.appx) CODE BLUE 2018 18
AppLocker settings AppLocker simply specifies conditions such as the types of files you want to control execution. CODE BLUE 2018 19
Note about AppLocker If the service "Application Identity" is not running, AppLocker cannot be activated. CODE BLUE 2018 20
Advantages of AppLocker If you have applications that you do not plan to use such as cmd.exe, restricting them may increase the security level. CODE BLUE 2018 21
From here, I will introduce examples of security restrictions in penetration testing. CODE BLUE 2018 22
CODE BLUE 2018 23
Restricting Drive Access - Background In cases where access to an arbitrary drive is prohibited, access to C drive is often prohibited or hidden. CODE BLUE 2018 24
Restricting Drive Access - Trial But it can be referenced in command prompt and can be accessed by directly specifying the path. CODE BLUE 2018 25
Restricting Drive Access - Trial But it can be referenced in command prompt and can be accessed by directly specifying the path. CODE BLUE 2018 26
CODE BLUE 2018 27 This can be bypassed too easily ...
Restricting Drive Access – Assumption HKEY_LOCAL_MACHINESoftwareMicrosoftWind owsCurrentVersionPolicesExplorerNoViewOnD rive CODE BLUE 2018 28 It is possible to specify and restrict the drive with the following registry key, therefore we assume that this was controlled by the registry.
CODE BLUE 2018 29
Restricting Applications - Background There was a case where presumably the following countermeasures were implemented to restrict specific applications (such as notepad and command prompt): • Disabled “Run” • Hid C drive • Deleted program menu CODE BLUE 2018 30
Restricting Applications - Trial I ran Notepad with "View source" in Internet Explorer, generated a bat file to run cmd.exe, and then executed it. CODE BLUE 2018 31
Restricting Applications - Trial I ran Notepad with "View source" in Internet Explorer, generated a bat file to run cmd.exe, and then executed it. CODE BLUE 2018 32
CODE BLUE 2018 33 If you choose GOOD ADVICE and even IE is stopped.
Restricting Application – Assumption • Control “Run” in the registry: CODE BLUE 2018 34 HKEY_CURRENT_USER¥SOFTWARE¥Microsoft¥Windows¥CurrentVersion¥Policies¥Explorer NoRun HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicesExplorerN oViewOnDrive • Control Drive display setting in the registry: C:¥ProgramData¥Microsoft¥Windows¥Start Menu¥Programs • Control program menu in the folder:
CODE BLUE 2018 35
Restricting IE - Background When execution of Internet Explorer is restricted using AppLocker ... CODE BLUE 2018 36
Restricting IE – Trial 1 Send GET Request with PowerShell. $req = [System.Net.WebRequest]::Create("https://www.google.com") $response = $req.GetResponse() $stream = $response.GetResponseStream() $res = (new-object System.IO.StreamReader $stream).ReadToEnd() write-host $res CODE BLUE 2018 37
Restricting IE – Trial 2 If you can render jquery in your brain, this is enough. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ja"><head><meta content="&#1999 0;&#30028;&#20013;&#12398;&#12354;&#12425;&#12422;&#12427;&#24773;&#22577;&#12434;&#26908;&#32034;&# 12377;&#12427;&#12383;&#12417;&#12398;&#12484;&#12540;&#12523;&#12434;&#25552;&#20379;&#12375;&#1239 0;&#12356;&#12414;&#12377;&#12290;&#12373;&#12414;&#12374;&#12414;&#12394;&#26908;&#32034;&#27231;&# 33021;&#12434;&#27963;&#29992;&#12375;&#12390;&#12289;&#12362;&#25506;&#12375;&#12398;&#24773;&#2257 7;&#12434;&#35211;&#12388;&#12369;&#12390;&#12367;&#12384;&#12373;&#12356;&#12290;" name="description"> <meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta co ntent="/logos/doodles/2018/world-cup-2018-day-19-6211393811382272.3-law.gif" itemprop="image"><meta content="& #12527;&#12540;&#12523;&#12489;&#12459;&#12483;&#12503; - Day 19" property="twitter:title"><meta content="&#1 2373;&#12354;&#35430;&#21512;&#38283;&#22987;&#12391;&#12377;&#65281;&#20170;&#26085;&#12398;#Google Doodle &#12391; &#19990;&#30028;&#20013; &#127758;&#127757;&#127759;&#12398; &#9917;&#12434;&#24540;&# 25588;&#12375;&#12424;&#12358;&#65281;" property="twitter:description"> CODE BLUE 2018 38
Restricting IE – Trial 3 Using HTML helper to refer to help files like CHM format. CODE BLUE 2018 39
Restricting IE – Trial 4 Specify URL as an argument in HTML Help.  hh http://www.google.com CODE BLUE 2018 40
Restricting IE – Trial 4 Specify URL as an argument in HTML Help.  hh http://www.google.com CODE BLUE 2018 41
CODE BLUE 2018 42 I understood that I managed without a browser.
Restriction of IE - Behavior of hh.exe (1) Direct access to https site → Error Sites redirected from http to https → No problem CODE BLUE 2018 43
hh.exe can also operate as an explorer. CODE BLUE 2018 44 Restriction of IE - Behavior of hh.exe (2)
hh.exe can also open certain files (such as txt and xml files). CODE BLUE 2018 45 Restriction of IE - Behavior of hh.exe (3)
hh.exe cannot open if access is restricted to C drive. CODE BLUE 2018 46 Restriction of IE - Behavior of hh.exe (4)
CODE BLUE 2018 47
Restricting PowerShell By restricting PowerShell, you can prevent file-less attacks using PowerShell. If file-less, it is hard to detect for Antiviruses Running a malicious script using Pass the Hash CODE BLUE 2018 48
PowerShell without PowerShell "PowerShell without PowerShell" released in August 2016 bypasses AppLocker and runs PowerShell. https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-byp ass-application-whitelisting-environment-restrictions-av/ CODE BLUE 2018 49
PowerShell without PowerShell • Compile C# program with CSC.exe to run PowerShell as action at uninstall • Uninstall output compiled with InstallUtil.exe • PowerShell runs CSC.exe InstallUtil.exe C# SourceOverride Uninstall and specify PowerShell command ①Compile ②Output Binary file ③Uninstall Run PowerShell specified in C# CODE BLUE 2018 50
PowerShell without PowerShell When running PowerShell, the process runs as InstallUtil.exe. CODE BLUE 2018 51
PowerShell without PowerShel It can be executed with user privilege. • Compiling CSC.exe • Uninstalling InstallUnite.exe CODE BLUE 2018 52
PowerShell without PowerShell PowerShell runs in the background, but depending on the PowerShell script you run, it may be easy to get shell. InstallUtil.exe Binary File Uninstall Run PowerShell specified in C# CODE BLUE 2018 53
PowerShell without PowerShell You can easily obtain shell by running a script that performs reverse connect. Device that restricts PowerShell • Acquire script via IEX using Powershell without PowerShell • Execute file-less Reverse connect target CODE BLUE 2018 54
• Acquire script via IEX using Powershell without PowerShell • Execute file-less PowerShell without PowerShell You can easily obtain shell by running a script that performs reverse connect. CODE BLUE 2018 55 Device that restricts PowerShell Reverse connect target
CODE BLUE 2018 56 Q.Which same One? It is easier than this problem.
by using Install Option I found another method ( by using Install Option), so I would like to introduce it. • PowerShell without Powershell ⇒ User privilege by using Install Option ⇒ Administrator privilege required CODE BLUE 2018 57
AppLocker’s intended target AppLocker can restrict 5 types of files: • Executables (.exe, .com) • Windows Installers (.msi, .mst, .msp) • Scripts (.vbs, .js, .ps1, .cmd, .bat) • Dlls (.ocx, .dll) • Packaged app installers (.appx) CODE BLUE 2018 58
Differences depending on the extension I thought that if I changed the extension of the EXE file in various ways, I could AppLocker. • Change to COM file → AppLocker blocked • Change to BAT file → AppLocker blocked • Change to MSI file → Error showing that it's not package file CODE BLUE 2018 59
Trial ① I tried to build cmd.exe so that it can be installed as an MSI file without causing an error. CODE BLUE 2018 60
Trial ② I noticed the Custom Option and built it to run cmd.exe as an Install Option. CODE BLUE 2018 61
CODE BLUE 2018 62
CODE BLUE 2018 63
Behavior after ① I could run cmd.exe by specifying in Install Option, but I got an error when I “dir” in C drive. CODE BLUE 2018 64
When cmd.exe is restarted, it operates normally with SYSTEM privilege. Behavior after ② CODE BLUE 2018 65
cmd.exe launched after can run all applications restricted by AppLocker. Behavior after ③ CODE BLUE 2018 66
By the way Even if notepad.exe is restricted via AppLocker, it can be launched by “view source” in Internet Explorer. CODE BLUE 2018 67
Let’s not forget There are some settings that we tend to forget when restricting cmd.exe or powershell.exe with AppLocker. CODE BLUE 2018 68
Let’s not forget CODE BLUE 2018 69 Run powershell_ise.exe
Let’s not forget CODE BLUE 2018 70 Run powershell_ise.exe
Run powershell_ise.exe You can run powershell_ise.exe, but it will be blocked when you start a new PowerShell process within it. CODE BLUE 2018 71
One wish I asked MSRC if I could do something to solve this, but I got a similar answer. “Applocker generally does not meet the bar for MSRC case.” CODE BLUE 2018 72
CODE BLUE 2018 73 In order to protect myself from bypass, I noticed that I had to do something for myself.
Countermeasures • Use AppLocker with a whitelist • If it’s difficult to operate a whitelist, set strict restrictions for AppLocker along with other group policies • Detect problems using multilayer defense such as monitoring operation logs CODE BLUE 2018 74
Countermeasures By implementing the following restrictions, I could not the methods introduced in this talk. I restricted the following using AppLocker: • iexplorer.exe • csc.exe • powershell.exe • powershell_ise.exe • cmd.exe • Installing non-Microsoft software ※ There is possibility of other operations being affected by implementing these restrictions. Please do so at your own risk. CODE BLUE 2018 75
Summary • There are many methods of Windows security functions, and it is very difficult to completely prevent them • It is important to acquire logs, restrict and monitor networks, etc. on the premise that you will get CODE BLUE 2018 76
Reference • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker- overview • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/working- with-applocker-rules • https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions- av/ • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using- software-restriction-policies-and-applocker-policies • https://www.jpcert.or.jp/research/AD_report_20170314.pdf • https://attack.mitre.org/wiki/Lateral_Movement • http://eternalwindows.jp/security/securitycontext/securitycontext17.html CODE BLUE 2018 77

Recommandé

IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]RootedCON
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 

Recommandé

IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]RootedCON
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point Software Technologies
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
DevOps Powered by Splunk
DevOps Powered by SplunkDevOps Powered by Splunk
DevOps Powered by SplunkSplunk
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...Lucy Huh Kerner
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudDevSecCon
 
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...Lucy Huh Kerner
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
 
Top 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersTop 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersPrecisely
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 

Contenu connexe

Tendances

Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
DevOps Powered by Splunk
DevOps Powered by SplunkDevOps Powered by Splunk
DevOps Powered by SplunkSplunk
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...Lucy Huh Kerner
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudDevSecCon
 
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...Lucy Huh Kerner
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
 

Tendances (20)

Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
DevOps Powered by Splunk
DevOps Powered by SplunkDevOps Powered by Splunk
DevOps Powered by Splunk
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
 
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
 

Similaire à Bypassing Windows Security Functions(en)

Top 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersTop 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersPrecisely
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less workIevgenii Katsan
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibilitymicham
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
The Benefits of Upgrading
The Benefits of UpgradingThe Benefits of Upgrading
The Benefits of UpgradingAnthony D'Ugo
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Moses Schwartz
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityRecruit Technologies
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Dev ops presentation
Dev ops presentationDev ops presentation
Dev ops presentationAhmed Kamel
 

Similaire à Bypassing Windows Security Functions(en) (20)

Top 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersTop 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i Users
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
The Benefits of Upgrading
The Benefits of UpgradingThe Benefits of Upgrading
The Benefits of Upgrading
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Dev ops presentation
Dev ops presentationDev ops presentation
Dev ops presentation
 

Plus de abend_cve_9999_0001

Bypassing anti virus using powershell
Bypassing anti virus using powershellBypassing anti virus using powershell
Bypassing anti virus using powershellabend_cve_9999_0001
 
ポートスキャンを擬人化してみた
ポートスキャンを擬人化してみたポートスキャンを擬人化してみた
ポートスキャンを擬人化してみたabend_cve_9999_0001
 
Bypassing Windows Security Functions(ja)
Bypassing Windows Security Functions(ja)Bypassing Windows Security Functions(ja)
Bypassing Windows Security Functions(ja)abend_cve_9999_0001
 
Burp Suite Japanユーザグループ紹介
Burp Suite Japanユーザグループ紹介Burp Suite Japanユーザグループ紹介
Burp Suite Japanユーザグループ紹介abend_cve_9999_0001
 
バックアップファイルの管理
バックアップファイルの管理バックアップファイルの管理
バックアップファイルの管理abend_cve_9999_0001
 
標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのかabend_cve_9999_0001
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"abend_cve_9999_0001
 
The vulnerabilities never bothered me anyway
The vulnerabilities never bothered me anywayThe vulnerabilities never bothered me anyway
The vulnerabilities never bothered me anywayabend_cve_9999_0001
 
フリーでできるセキュリティチェック OpenVAS CLI編
フリーでできるセキュリティチェック OpenVAS CLI編フリーでできるセキュリティチェック OpenVAS CLI編
フリーでできるセキュリティチェック OpenVAS CLI編abend_cve_9999_0001
 
もしWebセキュリティのエンジニアがRFC7540の「HTTP/2アプリ」をWeb診断したら
もしWebセキュリティのエンジニアがRFC7540の「HTTP/2アプリ」をWeb診断したらもしWebセキュリティのエンジニアがRFC7540の「HTTP/2アプリ」をWeb診断したら
もしWebセキュリティのエンジニアがRFC7540の「HTTP/2アプリ」をWeb診断したらabend_cve_9999_0001
 
フリーでできるWebセキュリティ(burp編)
フリーでできるWebセキュリティ(burp編)フリーでできるWebセキュリティ(burp編)
フリーでできるWebセキュリティ(burp編)abend_cve_9999_0001
 
Burp番外編~バープ、チョトニホンゴデキル~
Burp番外編~バープ、チョトニホンゴデキル~Burp番外編~バープ、チョトニホンゴデキル~
Burp番外編~バープ、チョトニホンゴデキル~abend_cve_9999_0001
 
おちこんだりもしたけど、私は元気です。
おちこんだりもしたけど、私は元気です。おちこんだりもしたけど、私は元気です。
おちこんだりもしたけど、私は元気です。abend_cve_9999_0001
 
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)abend_cve_9999_0001
 
ハニーポットで見る攻撃手法(特に結論はありません)
ハニーポットで見る攻撃手法(特に結論はありません)ハニーポットで見る攻撃手法(特に結論はありません)
ハニーポットで見る攻撃手法(特に結論はありません)abend_cve_9999_0001
 

Plus de abend_cve_9999_0001 (20)

Bypassing anti virus using powershell
Bypassing anti virus using powershellBypassing anti virus using powershell
Bypassing anti virus using powershell
 
ポートスキャンを擬人化してみた
ポートスキャンを擬人化してみたポートスキャンを擬人化してみた
ポートスキャンを擬人化してみた
 
Bypassing Windows Security Functions(ja)
Bypassing Windows Security Functions(ja)Bypassing Windows Security Functions(ja)
Bypassing Windows Security Functions(ja)
 
Burp Suite Japanユーザグループ紹介
Burp Suite Japanユーザグループ紹介Burp Suite Japanユーザグループ紹介
Burp Suite Japanユーザグループ紹介
 
バックアップファイルの管理
バックアップファイルの管理バックアップファイルの管理
バックアップファイルの管理
 
標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか
 
Your hash is.
Your hash is.Your hash is.
Your hash is.
 
Nmapの真実(続)
Nmapの真実(続)Nmapの真実(続)
Nmapの真実(続)
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
 
Nmap 9つの真実
Nmap 9つの真実Nmap 9つの真実
Nmap 9つの真実
 
Nmapの真実
Nmapの真実Nmapの真実
Nmapの真実
 
Burpで指定文字列を検索
Burpで指定文字列を検索Burpで指定文字列を検索
Burpで指定文字列を検索
 
The vulnerabilities never bothered me anyway
The vulnerabilities never bothered me anywayThe vulnerabilities never bothered me anyway
The vulnerabilities never bothered me anyway
 
フリーでできるセキュリティチェック OpenVAS CLI編
フリーでできるセキュリティチェック OpenVAS CLI編フリーでできるセキュリティチェック OpenVAS CLI編
フリーでできるセキュリティチェック OpenVAS CLI編
 
もしWebセキュリティのエンジニアがRFC7540の「HTTP/2アプリ」をWeb診断したら
もしWebセキュリティのエンジニアがRFC7540の「HTTP/2アプリ」をWeb診断したらもしWebセキュリティのエンジニアがRFC7540の「HTTP/2アプリ」をWeb診断したら
もしWebセキュリティのエンジニアがRFC7540の「HTTP/2アプリ」をWeb診断したら
 
フリーでできるWebセキュリティ(burp編)
フリーでできるWebセキュリティ(burp編)フリーでできるWebセキュリティ(burp編)
フリーでできるWebセキュリティ(burp編)
 
Burp番外編~バープ、チョトニホンゴデキル~
Burp番外編~バープ、チョトニホンゴデキル~Burp番外編~バープ、チョトニホンゴデキル~
Burp番外編~バープ、チョトニホンゴデキル~
 
おちこんだりもしたけど、私は元気です。
おちこんだりもしたけど、私は元気です。おちこんだりもしたけど、私は元気です。
おちこんだりもしたけど、私は元気です。
 
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
 
ハニーポットで見る攻撃手法(特に結論はありません)
ハニーポットで見る攻撃手法(特に結論はありません)ハニーポットで見る攻撃手法(特に結論はありません)
ハニーポットで見る攻撃手法(特に結論はありません)
 

Dernier

Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringJuanCarlosMorales19600
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsSachinPawar510423
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 

Dernier (20)

Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineering
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documents
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 

Bypassing Windows Security Functions(en)

  • 1. Windows Security Functions - To make only one wish - CODE BLUE 2018 1
  • 2. Profile Satoshi Ogawa Mitsui Bussan Secure Direction(MBSD) Twitter:abend@number3to4 Burp Suite Japan User Group ISOG-WG1 CODE BLUE 2018 2
  • 3. Profile Speaker • OWASP DAY 2014 • July Tech Festa 2015, 2017 • AVTOKYO2016 • Financials ISAC Japan Conference 2018 Writing • Software Design CODE BLUE 2018 3
  • 4. Background I have done penetration tests at many companies, and I’ve Windows security functions at each company. CODE BLUE 2018 4
  • 5. Things to inform in this session is not always detected and blocked, so I wanted to say that it’s important to only not enable security functions, but to implement multilayered defense, such as strengthening monitoring. CODE BLUE 2018 5
  • 6. Penetration Test We suppose the scenario, and test from the point of intrusion into servers and network devices. Firewall Attack from internet Inside Jobs Take over Attack ・ what kind of authority ・ what we can do Impact CODE BLUE 2018 6
  • 7. The Penetration Test scenarios There are cases where we investigate whether or not we can intrude servers assuming malware infection caused by Advanced Persistent Threats (APTs). Firewall PC & Domain User Tester User SegmentServer Segment IPS Access Internet Tester Access CODE BLUE 2018 7
  • 8. View of attacker In APTs, since an attacker with a clear intention and purpose intends to steal information from a specific organization, we assume that even if there are restricted by security functions, they will bypass and accomplish their purpose. authentication and intrude security function restrictions ..etc CODE BLUE 2018 8
  • 9. View of attacker In APTs, since an attacker with a clear intention and purpose intends to steal information from a specific organization, we assume that even if there are restricted by security functions, they will bypass and accomplish their purpose. authentication and intrude security function restrictions ..etc CODE BLUE 2018 9 This Session
  • 10. Steps in APT Preparation Intrusion Lateral Movement Action • Gathering information from Target • Intrusion into Target • Intrusion into the important servers • Stealing confidential information and hiding log CODE BLUE 2018 10
  • 11. Steps in APT “Preparation“ doesn’t concern so I won’t talk about it this time. Preparation Intrusion Lateral Movement Action CODE BLUE 2018 11
  • 12. Steps in APT Preparation Intrusion Lateral Movement has to do with anti-viruses and monitoring, but I won’t talk about it this time. CODE BLUE 2018 12 Action
  • 13. Steps in APT I’ll be talking about which may be used when intruding PCs etc. Preparation Intrusion Lateral Movement Action CODE BLUE 2018 13
  • 14. Lateral Movement • Operation in the intruded PCs • Searching for other vulnerable PCs and expanding intrusion • Intrusion into servers using the collected information Gathering informationOperation Intrusion into servers CODE BLUE 2018 14
  • 15. Lateral Movement https://attack.mitre.org/wiki/Lateral_Movement • AppleScript • Application Deployment Software • Distributed Component Object Model • Replication Through Removable Media • Windows Remote Management • Exploitation of Vulnerability • Remote Desktop Protocol • Remote File Copy • Logon Scripts • Pass the Hash • SSH Hijacking • Shared Webroot • Remote Services • Taint Shared Content • Third-party Software • Windows Admin Shares Japanese https://github.com/abend9999/lateralmovement CODE BLUE 2018 15
  • 16. How to protect Windows There are security functions to protect Windows against various attack methods. • AppLocker • Software Restriction Policy • Windows Defender • UAC (User Account Control) ..etc CODE BLUE 2018 16
  • 17. Security restrictions on Windows • Cannot install application (excluding PowerUser) • Cannot change PC setting • Cannot execute applications that are inadequate for business • Do not grant local administrator authority • Restricts execution of specific applications CODE BLUE 2018 17 Result
  • 18. AppLocker control object Based on the publisher, file path, and file hash , AppLocker currently supports the following file extensions. • Executables (.exe, .com) • Windows Installers (.msi, .mst, .msp) • Scripts (.vbs, .js, .ps1, .cmd, .bat) • Dlls (.ocx, .dll) • Packaged app installers (.appx) CODE BLUE 2018 18
  • 19. AppLocker settings AppLocker simply specifies conditions such as the types of files you want to control execution. CODE BLUE 2018 19
  • 20. Note about AppLocker If the service "Application Identity" is not running, AppLocker cannot be activated. CODE BLUE 2018 20
  • 21. Advantages of AppLocker If you have applications that you do not plan to use such as cmd.exe, restricting them may increase the security level. CODE BLUE 2018 21
  • 22. From here, I will introduce examples of security restrictions in penetration testing. CODE BLUE 2018 22
  • 24. Restricting Drive Access - Background In cases where access to an arbitrary drive is prohibited, access to C drive is often prohibited or hidden. CODE BLUE 2018 24
  • 25. Restricting Drive Access - Trial But it can be referenced in command prompt and can be accessed by directly specifying the path. CODE BLUE 2018 25
  • 26. Restricting Drive Access - Trial But it can be referenced in command prompt and can be accessed by directly specifying the path. CODE BLUE 2018 26
  • 27. CODE BLUE 2018 27 This can be bypassed too easily ...
  • 28. Restricting Drive Access – Assumption HKEY_LOCAL_MACHINESoftwareMicrosoftWind owsCurrentVersionPolicesExplorerNoViewOnD rive CODE BLUE 2018 28 It is possible to specify and restrict the drive with the following registry key, therefore we assume that this was controlled by the registry.
  • 30. Restricting Applications - Background There was a case where presumably the following countermeasures were implemented to restrict specific applications (such as notepad and command prompt): • Disabled “Run” • Hid C drive • Deleted program menu CODE BLUE 2018 30
  • 31. Restricting Applications - Trial I ran Notepad with "View source" in Internet Explorer, generated a bat file to run cmd.exe, and then executed it. CODE BLUE 2018 31
  • 32. Restricting Applications - Trial I ran Notepad with "View source" in Internet Explorer, generated a bat file to run cmd.exe, and then executed it. CODE BLUE 2018 32
  • 33. CODE BLUE 2018 33 If you choose GOOD ADVICE and even IE is stopped.
  • 34. Restricting Application – Assumption • Control “Run” in the registry: CODE BLUE 2018 34 HKEY_CURRENT_USER¥SOFTWARE¥Microsoft¥Windows¥CurrentVersion¥Policies¥Explorer NoRun HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicesExplorerN oViewOnDrive • Control Drive display setting in the registry: C:¥ProgramData¥Microsoft¥Windows¥Start Menu¥Programs • Control program menu in the folder:
  • 36. Restricting IE - Background When execution of Internet Explorer is restricted using AppLocker ... CODE BLUE 2018 36
  • 37. Restricting IE – Trial 1 Send GET Request with PowerShell. $req = [System.Net.WebRequest]::Create("https://www.google.com") $response = $req.GetResponse() $stream = $response.GetResponseStream() $res = (new-object System.IO.StreamReader $stream).ReadToEnd() write-host $res CODE BLUE 2018 37
  • 38. Restricting IE – Trial 2 If you can render jquery in your brain, this is enough. <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="ja"><head><meta content="&#1999 0;&#30028;&#20013;&#12398;&#12354;&#12425;&#12422;&#12427;&#24773;&#22577;&#12434;&#26908;&#32034;&# 12377;&#12427;&#12383;&#12417;&#12398;&#12484;&#12540;&#12523;&#12434;&#25552;&#20379;&#12375;&#1239 0;&#12356;&#12414;&#12377;&#12290;&#12373;&#12414;&#12374;&#12414;&#12394;&#26908;&#32034;&#27231;&# 33021;&#12434;&#27963;&#29992;&#12375;&#12390;&#12289;&#12362;&#25506;&#12375;&#12398;&#24773;&#2257 7;&#12434;&#35211;&#12388;&#12369;&#12390;&#12367;&#12384;&#12373;&#12356;&#12290;" name="description"> <meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta co ntent="/logos/doodles/2018/world-cup-2018-day-19-6211393811382272.3-law.gif" itemprop="image"><meta content="& #12527;&#12540;&#12523;&#12489;&#12459;&#12483;&#12503; - Day 19" property="twitter:title"><meta content="&#1 2373;&#12354;&#35430;&#21512;&#38283;&#22987;&#12391;&#12377;&#65281;&#20170;&#26085;&#12398;#Google Doodle &#12391; &#19990;&#30028;&#20013; &#127758;&#127757;&#127759;&#12398; &#9917;&#12434;&#24540;&# 25588;&#12375;&#12424;&#12358;&#65281;" property="twitter:description"> CODE BLUE 2018 38
  • 39. Restricting IE – Trial 3 Using HTML helper to refer to help files like CHM format. CODE BLUE 2018 39
  • 40. Restricting IE – Trial 4 Specify URL as an argument in HTML Help.  hh http://www.google.com CODE BLUE 2018 40
  • 41. Restricting IE – Trial 4 Specify URL as an argument in HTML Help.  hh http://www.google.com CODE BLUE 2018 41
  • 42. CODE BLUE 2018 42 I understood that I managed without a browser.
  • 43. Restriction of IE - Behavior of hh.exe (1) Direct access to https site → Error Sites redirected from http to https → No problem CODE BLUE 2018 43
  • 44. hh.exe can also operate as an explorer. CODE BLUE 2018 44 Restriction of IE - Behavior of hh.exe (2)
  • 45. hh.exe can also open certain files (such as txt and xml files). CODE BLUE 2018 45 Restriction of IE - Behavior of hh.exe (3)
  • 46. hh.exe cannot open if access is restricted to C drive. CODE BLUE 2018 46 Restriction of IE - Behavior of hh.exe (4)
  • 48. Restricting PowerShell By restricting PowerShell, you can prevent file-less attacks using PowerShell. If file-less, it is hard to detect for Antiviruses Running a malicious script using Pass the Hash CODE BLUE 2018 48
  • 49. PowerShell without PowerShell "PowerShell without PowerShell" released in August 2016 bypasses AppLocker and runs PowerShell. https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-byp ass-application-whitelisting-environment-restrictions-av/ CODE BLUE 2018 49
  • 50. PowerShell without PowerShell • Compile C# program with CSC.exe to run PowerShell as action at uninstall • Uninstall output compiled with InstallUtil.exe • PowerShell runs CSC.exe InstallUtil.exe C# SourceOverride Uninstall and specify PowerShell command ①Compile ②Output Binary file ③Uninstall Run PowerShell specified in C# CODE BLUE 2018 50
  • 51. PowerShell without PowerShell When running PowerShell, the process runs as InstallUtil.exe. CODE BLUE 2018 51
  • 52. PowerShell without PowerShel It can be executed with user privilege. • Compiling CSC.exe • Uninstalling InstallUnite.exe CODE BLUE 2018 52
  • 53. PowerShell without PowerShell PowerShell runs in the background, but depending on the PowerShell script you run, it may be easy to get shell. InstallUtil.exe Binary File Uninstall Run PowerShell specified in C# CODE BLUE 2018 53
  • 54. PowerShell without PowerShell You can easily obtain shell by running a script that performs reverse connect. Device that restricts PowerShell • Acquire script via IEX using Powershell without PowerShell • Execute file-less Reverse connect target CODE BLUE 2018 54
  • 55. • Acquire script via IEX using Powershell without PowerShell • Execute file-less PowerShell without PowerShell You can easily obtain shell by running a script that performs reverse connect. CODE BLUE 2018 55 Device that restricts PowerShell Reverse connect target
  • 56. CODE BLUE 2018 56 Q.Which same One? It is easier than this problem.
  • 57. by using Install Option I found another method ( by using Install Option), so I would like to introduce it. • PowerShell without Powershell ⇒ User privilege by using Install Option ⇒ Administrator privilege required CODE BLUE 2018 57
  • 58. AppLocker’s intended target AppLocker can restrict 5 types of files: • Executables (.exe, .com) • Windows Installers (.msi, .mst, .msp) • Scripts (.vbs, .js, .ps1, .cmd, .bat) • Dlls (.ocx, .dll) • Packaged app installers (.appx) CODE BLUE 2018 58
  • 59. Differences depending on the extension I thought that if I changed the extension of the EXE file in various ways, I could AppLocker. • Change to COM file → AppLocker blocked • Change to BAT file → AppLocker blocked • Change to MSI file → Error showing that it's not package file CODE BLUE 2018 59
  • 60. Trial ① I tried to build cmd.exe so that it can be installed as an MSI file without causing an error. CODE BLUE 2018 60
  • 61. Trial ② I noticed the Custom Option and built it to run cmd.exe as an Install Option. CODE BLUE 2018 61
  • 64. Behavior after ① I could run cmd.exe by specifying in Install Option, but I got an error when I “dir” in C drive. CODE BLUE 2018 64
  • 65. When cmd.exe is restarted, it operates normally with SYSTEM privilege. Behavior after ② CODE BLUE 2018 65
  • 66. cmd.exe launched after can run all applications restricted by AppLocker. Behavior after ③ CODE BLUE 2018 66
  • 67. By the way Even if notepad.exe is restricted via AppLocker, it can be launched by “view source” in Internet Explorer. CODE BLUE 2018 67
  • 68. Let’s not forget There are some settings that we tend to forget when restricting cmd.exe or powershell.exe with AppLocker. CODE BLUE 2018 68
  • 69. Let’s not forget CODE BLUE 2018 69 Run powershell_ise.exe
  • 70. Let’s not forget CODE BLUE 2018 70 Run powershell_ise.exe
  • 71. Run powershell_ise.exe You can run powershell_ise.exe, but it will be blocked when you start a new PowerShell process within it. CODE BLUE 2018 71
  • 72. One wish I asked MSRC if I could do something to solve this, but I got a similar answer. “Applocker generally does not meet the bar for MSRC case.” CODE BLUE 2018 72
  • 73. CODE BLUE 2018 73 In order to protect myself from bypass, I noticed that I had to do something for myself.
  • 74. Countermeasures • Use AppLocker with a whitelist • If it’s difficult to operate a whitelist, set strict restrictions for AppLocker along with other group policies • Detect problems using multilayer defense such as monitoring operation logs CODE BLUE 2018 74
  • 75. Countermeasures By implementing the following restrictions, I could not the methods introduced in this talk. I restricted the following using AppLocker: • iexplorer.exe • csc.exe • powershell.exe • powershell_ise.exe • cmd.exe • Installing non-Microsoft software ※ There is possibility of other operations being affected by implementing these restrictions. Please do so at your own risk. CODE BLUE 2018 75
  • 76. Summary • There are many methods of Windows security functions, and it is very difficult to completely prevent them • It is important to acquire logs, restrict and monitor networks, etc. on the premise that you will get CODE BLUE 2018 76
  • 77. Reference • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker- overview • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/working- with-applocker-rules • https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions- av/ • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using- software-restriction-policies-and-applocker-policies • https://www.jpcert.or.jp/research/AD_report_20170314.pdf • https://attack.mitre.org/wiki/Lateral_Movement • http://eternalwindows.jp/security/securitycontext/securitycontext17.html CODE BLUE 2018 77