Windows Operating System Archaeology

Presented at Wild West Hackin' Fest 2017, Oct. 27, 2017, 2:20 p.m. (45 minutes).

The modern Windows Operating System carries with it an incredible amount of legacy code.The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence and privilege escalation. We will present novel persistence techniques using only the registry and COM Objects.

Presenters:

• Matt Nelson
  Matt Nelson (@enigma0x3) is a red teamer and security researcher. After spending time as a system administrator, he brings a passion for researching and pushing new offensive and defensive techniques into the security industry. Blog: enigma0x3.net
• Casey Smith
  Casey Smith (@subtee) has a passion for understanding and testing the limits of defensive systems.

Links:

• https://wildwesthackinfest2017.sched.com/event/B1cZ/windows-operating-system-archaeology
• https://infocon.org/cons/Wild West Hackin Fest/Wild West Hackin Fest - Deadwood 2017/Windows Operating System Archaeology.mp4
• https://infocon.org/cons/Wild West Hackin Fest/Wild West Hackin Fest - Deadwood 2017/Windows Operating System Archaeology.eng.srt (subtitles)
• https://www.youtube.com/watch?v=fo4I-EPNYE4

Similar Presentations:

• TROOPERS17 (2017) / Demystifying COM
• DEF CON 31 (2023) / #NoFilter: Abusing Windows Filtering Platform for privilege escalation
• REcon 2023 / Hello 1994: Abusing Windows Explorer via Component Object Model in 2023