Network Defender Archeology: An NSM Case Study in Lateral Movement with DCOM

Presented at Black Hat Europe 2018, Dec. 6, 2018, 1:30 p.m. (50 minutes)

Adversaries love leveraging legitimate functionality that lays dormant inside of Microsoft Windows for malicious purposes and often disguise their activity under the smoke screen of "normal administrator behavior." Over the last year, there has been a significant surge in the malicious use of Component Object Model (COM) objects as a "living off the land" approach to lateral movement. COM, a subsystem that has been around since the early days of Microsoft Windows, exposes interfaces and functionality within software objects and has the ability to share this functionality over the network via Distributed COM (DCOM). With over 20 years in existence and over a year of relative popularity among adversaries, one would imagine that network analysis and detection of DCOM attacks was old news. On the contrary, very few people understand the techniques, tools fail to properly parse the network protocol, and adversaries continue to successfully leverage it to further the compromise of networks. Needless to say, it's difficult to defend against techniques that the defenders don't understand.

This talk aims to address that knowledge gap by exploring DCOM as a lateral movement technique and provide a methodical walk through of the technique from both the attacker and defender perspectives. The audience will get a deep dive into:

•[D]COM 101

•How does an adversary choose a COM object for lateral movement

•NSM approaches with regards to DCOM (pros vs cons)

•Network protocol analysis of the attack using open source tools

Presenters:

• Alex Sirr - Security Engineer, Gigamon
  <span>Alex Sirr (@DarkAl3x1s) is a recently graduated intern and a current member of the Gigamon Applied Threat Research (ATR). Alex has focused his research on network threat detection, tactical nerf battles, and security engineering work where he gets to prototype systems to operationally aid his team. He enjoys studying adversarial techniques and thinking creatively on how to defeat them. Alex is a graduate of the University of Washington where he studied Informatics with a focus on information assurance and cyber security and was a member of Batman's Kitchen, the UW CTF team. In his free time, he enjoys coding various side projects, cycling, and practicing Krav Maga.</span>
• Justin Warner - Principal Security Engineer, Gigamon
  <span>Justin Warner (@sixdub) is a Principal Security Engineer on the Applied Threat Research (ATR) team at Gigamon where he conducts threat research and develops network threat detection capabilities. Justin is an Air Force Academy graduate, former USAF Cyber Ops officer and former red team lead where he focused on adversary emulation operations against several fortune 100 companies as well a federal, state, and local government organizations. Justin has a passion for threat research, reverse engineering, and using his "free time" to spend time with his wife and daughter.</span>

Links:

• https://www.blackhat.com/eu-18/briefings/schedule/#network-defender-archeology-an-nsm-case-study-in-lateral-movement-with-dcom-12534
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/Network Defender Archeology An NSM Case Study in Lateral Movement with DCOM.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/Network Defender Archeology An NSM Case Study in Lateral Movement with DCOM.eng.srt (subtitles)
• https://www.youtube.com/watch?v=tiuAa_0vxaw

Similar Presentations:

• Black Hat USA 2017 / The Industrial Revolution of Lateral Movement
• Shakacon X (2018) / Network Defender Archeology: An NSM CaseStudy in Lateral Movement with DCOM
• TROOPERS17 (2017) / Demystifying COM