Clean Up On the Serial Aisle – Developing a Systematic Hunting Methodology for Deserialization Exploits

Presented at ShmooCon 2022 Rescheduled, March 25, 2022, 4 p.m. (60 minutes)

Deserialization vulnerabilities are a class of bugs that have plagued multiple applications over the years, including Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and more.

Attackers have leveraged these bugs for years to upload files, access unauthorized resources, and execute malicious code on targeted servers. Within the past 2 years, Mandiant has particularly observed APT41 using .NET ViewState and Java deserialization exploits to target companies and government entities within North America.

Researchers have already created tools for rapidly generating payloads. So, why not create a tool to rapidly generate detection and hunting rules?

In this talk, we will walk through the research process that led to HeySerial.py–a new rule generation tool–and we will show how we can use it to hunt for advanced attackers and potential zero-days.

Presenters:

• Alyssa Rahman
  Alyssa Rahman (@ramen0x3f) is currently a Principal Threat Researcher on Mandiant’s Advanced Practices team. Formerly a red teamer, Alyssa specializes in puns and as a side hustle dissects the tools, techniques, and processes (TTPs) used in intrusions, so she can find creative ways to detect and hunt for threat actors.

Similar Presentations:

• DEF CON 26 (2018) / Automated Discovery of Deserialization Gadget Chains
• Black Hat USA 2018 / Automated Discovery of Deserialization Gadget Chains
• AppSec USA 2016 / How to Find the Next Great Deserialization CVE