Subverting Trust in Windows

Presented at TROOPERS18 (2018), March 15, 2018, 10:30 a.m. (Unknown duration).

In the context of computer security, what is trust and what does it mean to you and your organization? While clearly a subjective term, trust should form the basis of what we permit and deny in our enterprise. Trust can also be explicit or implicit and security products exist to cater to both models, specifically, application whitelisting and EPP/EDR solutions, respectively. Additionally, threat hunters and incident responders require a definition of trust so as to be able to quickly make benign versus suspicious classifications during the course of an investigation.

As for the implementation of trust, code signing plays a large role. That said, what does it mean for code to be signed? What certificates should be considered trusted? What are the technical means by which digital signatures are validated against trusted certificates and how might an attacker subvert the process? What are some of the common assumptions security tools and users of security tools make when it comes to trust validation?

All of these questions in the context of Microsoft Windows will be addressed. By the end of this talk, the audience will understand the Windows trust architecture, how it can be subverted, and how to mitigate/detect subversion attempts. Finally, everyone will walk away with an appreciation of trust and the challenges involved in its validation.

What does trust mean to you and your organization? What are the technical means by which trust is validated and enforced? Whether validating digital signatures as an incident responder, relying upon the efficacy of an EDR solution to detect evil, or enforcing strict application whitelisting policies, trust (whether implicit or implicit) constitutes the backbone of all security decisions made in our industry. Learn how trust is implemented, enforced, subverted by attackers, and defended in the context on Windows. The trust architecture in Windows is inherently extensible, leading it to a host of attacks. This talk should help confirm that nothing can be trusted on a system that is suspected to be compromised.


Presenters:

  • Matt Graeber
    Matt Graeber (@mattifestation) is a Security Researcher at Specter Ops, Inc. and has a passion for developing offensive tradecraft and reverse engineering. Since 2013, Matt has been promoting the "living off the land" methodology of using and abusing built-in or trusted applications to carry out attacker objectives which results in a perpetual detection arms race. Matt is also very much interested in code signing and trust validation/enforcement.

Links:

Similar Presentations: