An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Offered By: YouTube
Course Description
Overview
Explore stealthy host persistence techniques using security descriptors in this 51-minute conference talk from Derbycon 7. Dive into offensive implications, WinRM backdoors, and misconfigured configurations. Learn about general persistence approaches for domain-joined systems, securable objects, and security descriptors. Examine object rights, services, and anti-audit measures. Discover existing tools, caveats, and object takeover primitives. Analyze case studies involving Service Control Manager, WMI classes, and printer objects. Investigate remote registry access, hash dumping, and backdooring techniques. Gain insights on defensive enumeration and key takeaways for enhancing system security.
Syllabus
Intro
Introductions
Overview
Offensive Implications
WinRM Backdoor
Misconfigured Configurations
General Persistence Approach
Domain Join Systems
We Believe
What is a Securable Object
What is a Security Descriptor
Where do security descriptors come from
What are decals
Object rights
Services
AntiAudit Measures
Methodology
Existing Tools
Caveats
Security Descriptors
Object Takeover Primitives
Process Rights
Case Studies
Service Control Manager
Security Descriptor
Decom
WMyClasses
WMyRemoteAccess
Printer Objects
Printer RPC
Commandlets
Remote Registry
Hash Dumping
Backdooring
MEMEMIC
Defensive Enumeration
Takeaways
Microsoft troll slides
RPC protocols
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network