Cracking the Perimeter with SharpShooter - Dominic Chell - Hack in Paris - 2019

Explore advanced payload generation techniques for red team engagements in this 42-minute conference talk from Hack in Paris. Learn how to bypass next-generation endpoint protections, including Cylance, Palo Alto TRAPS, and FireEye, using the open-source SharpShooter framework. Discover methods for profiling organizations, circumventing static analysis on disk, in-memory, and across networks, and evading sandboxing through payload keying. Delve into novel scriptlet execution techniques using XML stylesheets, COM, and application whitelisting bypasses. Gain insights into targeting Skype for Business, understanding signature-based detection, and leveraging various payload delivery methods such as HTML smuggling and DLL hijacking. Examine the MSZM architecture, OMSI, and Squiggly Calm staging workflow for enhanced evasion. Conclude with a discussion on detection prevention strategies and tradecraft considerations for red teamers.

Introduction
Getting a foothold
SharpShooter
What does it do
NetTJScript
HTML Smuggling
SharpShooter Tricks
Targeting Skype for Business
SharpShooter Demo
Signatures
VirusTotal
MSZ
MSZ Architecture
OMSI
Squiggly
Calm Staging
Workflow
XML DOM
Exploit
Example
AMZ payload
DLL hijacking
MG scam before patch
Excel for trick
Excel for payload
Tradecraft
Indicators
Dry Permissions
Injection
Spoofing
Demo
Detection Prevention
Prevention Strategies
Conclusions