#RomHack2020 Speakers & Talks

Privilege escalation is a required step for an attacker in order to get full control of a system starting from a lower privileged access.
In windows there are many ways to reach this goal. This talk will be focused on showing all the recent techniques used to do privilege escalation starting from a service account.

This scenario is quite common when attacking web applications hosted on Windows servers. When a web server is compromised (through code execution or arbitrary file write) it is possible to run commands on behalf of the web server that is running as a service. MSSQL servers are another example of services that could be compromised by a malicious attacker (i.e. xp_cmdshell).

WSH (Windows Service Hardening) is a feature enabled since Windows Vista with the goal of hardening services. These “isolation” techniques are often not applied and, in some cases, can be abused too. As an example, the famous Rotten/JuicyPotato exploit uses the DCOM/NTLM reflection vulnerability.

Those techniques require SeImpersonatePrivilege which is considered a God privilege by MS.
The impersonation privilege is assigned by default to any service account and that opens a hole that could be abused by the attackers in order to escalate privileges.
MS does not consider this boundary (going from SERVICE with SeImpersonate to SYSTEM ) as a security boundary but just a safety boundary. For this reason those vulnerabilities are classified as “won’t fix” by MS.

In this talk will be described all the recent techniques, showing how it is still possible to escalate privileges from SERVICE to SYSTEM in multiple ways.

Some mitigations will be advised too; sysadmins should never rely on default service account configuration to segregate services/processes.

---

whois Antonio

Antonio "splinter_code" Cocomazzi is a system engineer with a particular interest in malware analysis. He also conducts independent research with a focus on discovering new vulnerabilities and, more in general, in digging into Windows OS internals.

The main focus of his activities is on researching new ways of attacking Windows operating systems and finding cutting edge techniques to reach stealthiness in heavily monitored environments.

He enjoys reversing any kind of binaries from packed malwares to windows internal components. He likes playing online CTFs and writing/publishing offensive tools and security researches on his GitHub channel mostly based on Windows OS.

[ Top ]

Our daily job as Software Engineers is commonly to build software, a.k.a. abstractions. While doing so, we hide some complexity, but at the same time, we also increase the entropy and often the attack surface too. This is even more true in today's complex cloud-native environments.

It turns out that to secure things we need to dig deeper into the abstraction layers, uncovering all their complexities that we carefully tried to avoid, putting those abstractions in place.
For example, to securely run our applications on our Kubernetes clusters we first need to understand how all the Kubernetes layers interface with the Linux kernel. To understand it, we need to have full visibility from the kernel up.

A way to have broad and deep visibility into our systems, when doing security analysis is going to look directly what's happening into the Linux kernel.

This is what Falco does.

In every Linux system, we have the syscalls interface to trace what userspace processes are doing at the upper level and eventually take action. Anyway, this is easier said than done. Because tracing and processing every system call in userspace results in a very unique set of challenges.

Join this talk to discover exactly what those challenges are and how Falco approaches them using eBPF or a kernel module or a ptrace based very hackish producer.

---

whois Leo

Leo is an Open Source Software Engineer at Sysdig in the Office of the CTO, where he's in charge of the Open Source methodologies and projects. He's a core maintainer of Falco, a Cloud Native tool for runtime security incubated by the CNCF. He is also involved in the Linux Foundation's eBPF project (IO Visor) as a maintainer of the kubectl-trace project. In the past, he created go-syslog, a blazingly fast Go parser for syslogs and transports, and other OSS tools like kubectl-dig, a tool about deep visibility into Kubernetes directly from the kubectl. He's been also involved from the early days into the CNCF SIG-Security group.

[ Top ]

Hi there, let’s talk about Operational Threat Intelligence.

What is it and why we need it in a Security Operation Center?
Threat Intel is a service that any SOC must have in order to analyze, identify and correlate emerging cyber threats. The service is helpful for managing budget and monitoring evolving cyber scenarios, improve the correlation capabilities and manage indicators of compromise (IoCs) that can be used to prevent and detect malicious Threat Actors and CyberCrime that scampers on your own network.

How can we do all of this?
First of all we need a process that involves the IoC producers (internal or external) and an open source Threat Intelligence Platform (TIP) tailored to us.The TIP offers these capabilities: validate the IoCs against a false positive detection logic, store and enriches them with metadata and manage decay time.

What is the meaning of Actionable Threat Intelligence?
IoCs, once stored, need to be distributed to the systems that defends the cyber perimeters. In this way the risk of malicious events can be reduced thanks to detection and prevention technologies.

Are IoCs, like diamonds, forever?
Obviously not! An obsolescence strategy is fundamental in order to reach a compromise between tech limitations and the company’s defense capabilities.

---

whois Raffaele

Raffaele is a Cyber Security Engineer hungry for knowledge all around the security space. Following his interests, he studied Computer Engineering at University of Salerno and subsequently at Politecnico of Turin where he cooperated in security projects funded by EU community. Raffaele worked in Security Operation Centers of defense companies where he gained deep knowledge in operational security themes and security solutions and services design. He thinks that a security system is “only” a tool, it must be optimized for the context and, where feasible, adapted to the people; that’s why he’s focusing on the automation and integration of systems, eliminating the repetitive tasks with no added value. Attracted by the themes of threat intelligence, offensive security and security solutions design, in order to feed his hunger for knowledge he doesn’t mind new challenges in the design of security solutions and services especially in extended cyber perimeters.

---

whois Vito

Vito Lucatorto is a Cyber Security Engineer with a passion for Open Source systems. He studied at the University of Bari and later at the University of Milan. Creative and curious, with many projects in mind, interested in automating cyber security processes and passionate about threat intelligence and intelligence activity. He likes to work in critical contexts, to study complex and little-debated topics, to analyze unstructured incidents, to discover new defense and attack techniques.
Vito is specialized and interested in online anti-fraud and CyberCrime aspects.
Trained in a financial environment, he learned fundamental aspects such as analysis and meticulousness in performing tasks and he desires to follow and design high value projects for Cyber Security offices.

[ Top ]

In this talk I'm going to show you various attack vectors against the serverless applications built from AWS Lambda functions.

You'll see:
- my findings on publishing malicious NPM packages to smuggle malicious code into legitimately looking dependences
- examples of validation errors in serverless applications, including Denial of Wallet attacks and RCE in a fugacious, serverless environment
- serverless attacks and security nuances in Azure and GCP
- recipes to prevent those attacks

---

whois Pawel

Pawel is a senior security consultant in SecuRing. On a day to day basis he is responsible for performing penetration tests and cloud security assessments. He has a wide experience in security field gained inter alia, as a fuzzer developer in Spirent, pentester in EY GSS, security auditor in Credit Agricole or threat analyst in IBM SOC. His skills are proven by gaining OSCP, eMAPT, AWS SAA and AWS CSS certificates. Pawel actively supports OWASP community by arranging local OWASP chapter meetings in Wroclaw.

[ Top ]

Offensive PowerShell tradecraft is in “Zombie Mode”: it’s sort of dead, but not entirely.
With all of the defenses Microsoft has implemented in the PowerShell runtime over the past few years Red Teamers / Pentesters & APT groups have started too shy away from using PowerShell based payloads/delivery mechanisms and migrate over to C#. However, C# is a compiled language. Operationally this has a few major downsides: we can’t be as “flexible” as setting up a proper development environment has an overhead and can be time consuming and you have to compile all the things all the time etc..

Bottom line is: I’m lazy and creating your malwarez/custom payloads in C# is not as easy & straight forward as it would be in PowerShell or really any scripting language. This raises the following quandary: can we somehow get our own scripting language interpreter on the target machine while still remaining opsec safe and use it to perform all of our post-exploitation activities? Turns out by harnessing the sheer craziness of the .NET framework, you can embed entire interpreters inside of .NET languages allowing you to natively execute scripts written in third-party languages (like Python) on windows!
Not only this does allow you to dynamically access all of the .NET API from a scripting language of your choice, but it also allows you to still remain completely in memory and has a number of advantages over traditional C# payloads!

Essentially, BYOI payloads allow you to have all the “power” of PowerShell, without going through PowerShell in anyway!

In this talk we will be covering some key .NET framework concepts in order to understand why this is possible, how to actually do the interpreter/engine/runtime embedding, the concept (that I coined) “engine inception”, differences between traditional C# payloads & BYOI payloads, demoing some examples of BYOI payloads and finally SILENTTRINITY: an open-source C2 framework that I’ve written that attempts to weaponize some of the BYOI concepts.

---

whois Marcello

Marcello Salvati (@byt3bl33d3r) is a security consultant at BlackHills Infosec by day and by night a tool developer who discovered a novel technique to turn tea and dank memes into somewhat functioning code. He's also really good at writing bios and is really sick of the food in the US (seriously though, its awful).

[ Top ]