Hack Microsoft Using Microsoft Signed Binaries

Presented at NorthSec 2017, Unknown date/time (Unknown duration)

Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools. How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks? The most dangerous threat is the one you can't see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like "f 0xffffe001`0c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10"? We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system.

Presenters:

  • Pierre-Alexandre Braeken
    Pierre-Alexandre Braeken is an accomplished and highly experienced security professional with over 13 years of experience in engineering and system architecture. In his career, having acquired the MCSE, MCSA, MCITP certifications, he has focused specifically on security and specializing in the implementation of large projects for businesses relying on the Microsoft infrastructure and alternative platforms. He is a Microsoft Certified Solutions Expert in Cloud Platform and Infrastructure. He has an excellent command and understanding of information security, security architecture and secure application development, as well as strong analytical skills pertaining to enterprise situations, risk and contingency plans. He's focused on assisting organizations across Canada with implementing effective threat detection, response capabilities and performing red teaming activities. He does unique security research and speaks at major international security conferences: Black Hat Asia Briefings 2017, Singapore;Black Hat Europe Arsenal 2016, London - U.K.; B-SidesDC 2016 - Washington, U.S.; SecTor 2016 - Toronto, Canada; InfoSecurity Europe 2016 - London, U.K.; Hackfest 2015 - Quebec, Canada.

Links:

Similar Presentations: