Skynet Will Use PsExec: When SysInternals Go Bad

Presented at NolaCon 2017, May 20, 2017, 3 p.m. (Unknown duration).

The Sysinternals Suite: A set of legitimate tools designed to make system administrator’s lives easier. However, often times system administrators are not alone: Attackers really love these tools too! This presentation will take a hard look at how attackers, both legal and not, are bending the Sysinternals suite to their will. Without needing any 0-days, custom malware, or advanced knowledge of network topology, attackers are moving through compromised networks with skill and ease. We’re going to expose how attackers are utilizing these tools, and common flaws that we see within many networks. We won’t name names, but it might get embarrassing! We’ll look at how the red team can use these tools to blend in too.

We’re also going to discuss common forensic artifacts these tools leave behind, and how our blue teamers can up their game and make sure that the lowest hanging fruit isn’t the most ignored fruit. While this knowledge may seem trivial to seem, we are still seeing advanced attackers using these tools on a daily basis. The goal of this presentation is to help the red team find some new tools, and help the blue team defend a bit better against these commonly-abused tools.

Presenters:

• Matt Bromiley
  Matt has experience in incident response, digital forensics, threat intelligence, and network security monitoring. His skills include disk, database, and network forensics, incident response/triage, and network security monitoring. He is passionate about learning, sharing with others, and working on open source tools. When not jamming with the console cowboys in cyberspace, Matt can be found with his new daughter, wife, 2 dogs, and sometimes hidden in a cloud of sweet, delicious smoke of a Texas BBQ pit. Twitter: @mbromileyDFIR
• Brian Marks
  Brian from Chicago, is an incident response consultant. He both thrive on chasing bad guys on a daily basis.  Brian has spent time developing ways to perform digital forensics faster, including building out automated scripts and rapid forensic analysis platforms.

Links:

• https://nolacon.com/talk/skynet-will-use-psexec-sysinternals-go-bad
• https://infocon.org/cons/NolaCon/NolaCon 2017/Skynet Will Use PsExec When SysInternals Go Bad Matt Bromiley Brian Marks.mp4
• https://infocon.org/cons/NolaCon/NolaCon 2017/Skynet Will Use PsExec When SysInternals Go Bad Matt Bromiley Brian Marks.srt (subtitles)
• https://www.youtube.com/watch?v=c0aczjj-f50

Similar Presentations:

• BSidesLV 2017 / SECSMASH: Using Security Products to own the Enterprise'
• BSides Austin 2016 / Purple Teaming: The Best of Both Worlds
• May Contain Hackers (MCH2022) / How to sneak past the Blue Team of your nightmares