Windows Agentless C2 - Abusing the MDM Client Stack

Explore groundbreaking research on exploiting the Windows Mobile Device Management (MDM) stack to create an agentless Command and Control (C2) system in this conference talk from Ekoparty 2023. Delve into a comprehensive analysis of the MDM client architecture, protocols, components, and workflows, uncovering previously undisclosed vulnerabilities and attack vectors. Follow the speaker's journey in developing a custom C2 server, implementing MDM protocols, crafting malicious commands, and extending the MDM Client stack to support second-stage payloads. Learn how to exploit the MDM client architecture for remote device control, privilege escalation, security feature disabling, and arbitrary code deployment without traditional agent installation. Gain insights into innovative techniques for exploiting Windows features and discover potential defensive strategies against this emerging threat vector. Presented by Marcos Oviedo, an infosec professional specializing in Windows internals and reverse engineering, this talk aims to inspire further research and contribute to the information security field.

Windows Agentless C2: (Ab)using the MDM Client Stack - Marcos Oviedo - Ekoparty 2023