SlideShare a Scribd company logo

44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back

44CON
44CON

Windows 10: 2 Steps Forward, 1 Step Back by James Forshaw

Technology
1 of 54
Download to read offline
Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo 44con 2015 1
James Forshaw @tiraniddo Obligatory Background Slide 2 ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like
James Forshaw @tiraniddo What I’m Going to Talk About ● Some research on Windows 10 from the early preview builds ● Why Windows 10 is awesome for security ● Except for when it isn’t! ● Very much looking at things from a local privilege escalation perspective 3
James Forshaw @tiraniddo Windows 10 4
James Forshaw @tiraniddo Windows Local Attack Surface 5
James Forshaw @tiraniddo Local System Vulnerabilities are Dead! 6 #opfreecalc
James Forshaw @tiraniddo System Services and Drivers 7 Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291 7 8 10
James Forshaw @tiraniddo Service Privilege Levels 8 Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10
James Forshaw @tiraniddo SVCHOST Running as User? 9 Malware? Nope!
James Forshaw @tiraniddo Service Start Mode 10 Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28% 7 8 10
James Forshaw @tiraniddo Accessible Device Objects 11 7 8 10 Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5
James Forshaw @tiraniddo Isolated User Mode 12
James Forshaw @tiraniddo Isolated LSASS 13 Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130
James Forshaw @tiraniddo But Sadly ● Not available in consumer builds only Enterprise ● Can’t use your own code to isolate anything ● Very restrictive use 14
James Forshaw @tiraniddo Edge Browser 15
James Forshaw @tiraniddo Microsoft Edge Security 16 ActiveX is gone(ish) AppContainer Sandbox Always On
James Forshaw @tiraniddo Microsoft Edge and Flash 17 Nope!
James Forshaw @tiraniddo Has No One Learnt from the Past? 18
James Forshaw @tiraniddo Guess Trident Wasn’t a Suitable Base? 19
James Forshaw @tiraniddo User Account Control 20
James Forshaw @tiraniddo They’ve Fixed Some Bugs I’ve Reported 21 https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220
James Forshaw @tiraniddo UAC Auto Elevation Directory Check 22 c:windows c:windowstracingapp.exe app.exe ALLOWED BANNED
James Forshaw @tiraniddo Folder Permissions 23 c:windows c:windowstracingapp.exe app.exe ALLOWED BANNED
James Forshaw @tiraniddo AiCheckSecureApplicationDirectory Bypass 24 ● Need to be able to write a file with a secure path ● How can we write to C:Windows without writing to C:Windows? c:windows malicious.exe ALLOWED c:windows ???? ALLOWED?
James Forshaw @tiraniddo NTFS Alternate Data Streams FTW! 25 c:windows tracing:malicious.exe ALLOWED ● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on directory to created named stream.
James Forshaw @tiraniddo Didn’t Fix All my UAC Bypasses Though 26 https://code.google.com/p/google-security-research/issues/detail?id=219
James Forshaw @tiraniddo DEMO Elevated Token Capture 27
James Forshaw @tiraniddo 28 Well MS Almost Did If Token Level < Impersonate If Process has Impersonate Privilege ALLOWED Restrict to Identification Level If Process IL < Token IL If Process User == Token User Elevation Check
James Forshaw @tiraniddo Elevated Token Impersonation ● Blocks impersonating an elevated token unless process token is also elevated ● Must be enabled in SeCompatFlags kernel flag 29 if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } }
James Forshaw @tiraniddo In The End Still the “Wrong” Default IMO! 30
James Forshaw @tiraniddo If You Change Task Manager Needs a Prompt 31
James Forshaw @tiraniddo Windows Symbolic Links 32 Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links
James Forshaw @tiraniddo Mitigated in Sandboxes 33 NTFS Mount Points Registry Key Symbolic Links Object Manager Symbolic Links BANNED LIMITED LIMITED
James Forshaw @tiraniddo Mitigations Backported 34
James Forshaw @tiraniddo DEMO NTFS Mount Point Mitigation Bypass 35
James Forshaw @tiraniddo Win32k Hardening 36
James Forshaw @tiraniddo Fonts Are Bad 37
James Forshaw @tiraniddo Making it Less Bad User Mode Font Driver 38 Disable Custom Font Policy (undocumented) PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy.DisableNonSystemFonts = 1; policy.AuditNonSystemFontLoading = 1; SetProcessMitigationPolicy( ProcessFontDisablePolicy, &policy, sizeof(policy));
James Forshaw @tiraniddo User Mode Font Driver Only SYSTEM can open process?Running as user in AppContainer 39
James Forshaw @tiraniddo Process Token Default DACL After September Patch 40 Before September Patch
James Forshaw @tiraniddo Thread DACLs Allow User Access 41
James Forshaw @tiraniddo Extra, UMFD Only Win32k Escape Calls 42 NtGdiEscape Command UMFD Escape Call 13 UmfdEscEngGetFileChangeTime 14 UmfdEscEngGetFilePath 15 UmfdEscEngComputeGlyphSet 16 UmfdEscEngCreateFile 17 UmfdEscParseFontResources 18 atmfdFontManagement (enable kernel ATMFD driver) And Others ...
James Forshaw @tiraniddo UmfdEscEngCreateFile in Win32kFull.sys // Name is only SystemRootSystem32FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; } 43 // Name is SystemRootSystem32QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; } Before September Patch After September Patch
James Forshaw @tiraniddo UmfdEscEngCreateFile in Win32kFull.sys // Name is only SystemRootSystem32FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; } 44 // Name is SystemRootSystem32QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; } Before September Patch After September Patch Attacker Controlled No Security Check All Gone
James Forshaw @tiraniddo Process Silos ● New process container mechanism ● Possibly related to docker support ● Works in a similar fashion to process jobs 45 NTSTATUS NtCreateSiloObject( PHANDLE handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
James Forshaw @tiraniddo Opening Device Object 46 DeviceHarddisk1SomeName DeviceHarddisk1 SomeName Device Path Native NT Path Device Namespace Path Harddisk Driver Create File Handler Driver Responsible for Security
James Forshaw @tiraniddo Replace the Root Object Directory 47 // Create anonymous directory object InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); NtCreateDirectoryObject(&hDir, &ObjectAttributes, ...); NtSetInformationSiloObject(hSilo, SiloObjectRootDirectory, &hDir, sizeof(hDir)); NtAssignProcessToSiloObject(hSilo, GetCurrentProcess()); // Process root directory now empty Exploit: https://code.google.com/p/google-security-research/issues/detail?id=459
James Forshaw @tiraniddo Fixed in RTM ● Silo functionality rolled into Job objects ● Changed object directory now behind a TCB check ● Shame for Chrome, would have been a useful feature 48
James Forshaw @tiraniddo Public Service Announcement Doing too much security research on Beta software can make you sad 49
James Forshaw @tiraniddo (Dis)Honourable Mentions Control Flow Guard (CFG) Privacy Options Cumulative Updates Microsoft Cross-Signed Drivers 50
James Forshaw @tiraniddo Conclusions 51 2 steps forward, 1 step back. Still plenty of things to attack!
James Forshaw @tiraniddo DEMO Local System Elevation 52
James Forshaw @tiraniddo Good Old Issue 222 53 https://code.google.com/p/google-security-research/issues/detail?id=222
James Forshaw @tiraniddo Questions? 54

Recommended

The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox Mitigations
James Forshaw
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
OWASP Delhi
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Mimikatz
MimikatzMimikatz
Mimikatz
Positive Hack Days
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 

Recommended

The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox Mitigations
James Forshaw
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
OWASP Delhi
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Mimikatz
MimikatzMimikatz
Mimikatz
Positive Hack Days
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
Kernel TLV
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
enigma0x3
 
Secureboot Survival Guide
Secureboot Survival GuideSecureboot Survival Guide
Secureboot Survival Guide
lcplcp1
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
Jorge Orchilles
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
1
11
1
Indresh Upadhyay
 

More Related Content

What's hot

Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
Jorge Orchilles
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 

What's hot (20)

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
 
Secureboot Survival Guide
Secureboot Survival GuideSecureboot Survival Guide
Secureboot Survival Guide
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 

Viewers also liked

Useful facts
Useful factsUseful facts
Useful facts
bc dalai
 
Chapter10 Server Administration
Chapter10 Server AdministrationChapter10 Server Administration
Chapter10 Server Administration
Raja Waseem Akhtar
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON
 

Viewers also liked (20)

Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
1
11
1
 
Entrevista Hector Robles revista MED PLUS n99
Entrevista Hector Robles revista MED PLUS n99Entrevista Hector Robles revista MED PLUS n99
Entrevista Hector Robles revista MED PLUS n99
 
Useful facts
Useful factsUseful facts
Useful facts
 
Hedly
HedlyHedly
Hedly
 
CMIS 320 RESEARCH PAPER
CMIS 320 RESEARCH PAPERCMIS 320 RESEARCH PAPER
CMIS 320 RESEARCH PAPER
 
CMIT 321 WEEK 2 QUIZ
CMIT 321 WEEK 2 QUIZCMIT 321 WEEK 2 QUIZ
CMIT 321 WEEK 2 QUIZ
 
operating system 1
operating system 1operating system 1
operating system 1
 
Chapter10 Server Administration
Chapter10 Server AdministrationChapter10 Server Administration
Chapter10 Server Administration
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 Administration
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 

Similar to 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back

2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
Soya Aoyama
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Igor Korkin
 
Man-In-The-Disk
Man-In-The-DiskMan-In-The-Disk
Man-In-The-Disk
Priyanka Aash
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
CODE BLUE
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
EnergySec
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
Soya Aoyama
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
GangSeok Lee
 
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security SolutionsBad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Vincent Tan
 

Similar to 44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back (20)

James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windows
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
 
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
 
Man-In-The-Disk
Man-In-The-DiskMan-In-The-Disk
Man-In-The-Disk
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
 
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security SolutionsBad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 

More from 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back

  • 1. Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo 44con 2015 1
  • 2. James Forshaw @tiraniddo Obligatory Background Slide 2 ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like
  • 3. James Forshaw @tiraniddo What I’m Going to Talk About ● Some research on Windows 10 from the early preview builds ● Why Windows 10 is awesome for security ● Except for when it isn’t! ● Very much looking at things from a local privilege escalation perspective 3
  • 5. James Forshaw @tiraniddo Windows Local Attack Surface 5
  • 6. James Forshaw @tiraniddo Local System Vulnerabilities are Dead! 6 #opfreecalc
  • 7. James Forshaw @tiraniddo System Services and Drivers 7 Windows 7 SP1 Windows 8.1 Windows 10 Services 150 169 196 Drivers 238 253 291 7 8 10
  • 8. James Forshaw @tiraniddo Service Privilege Levels 8 Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10
  • 9. James Forshaw @tiraniddo SVCHOST Running as User? 9 Malware? Nope!
  • 10. James Forshaw @tiraniddo Service Start Mode 10 Windows 7 Windows 8.1 Windows 10 Auto 30.07% 26.19% 24.10% Disabled 5.23% 3.57% 2.05% Manual 53.59% 43.45% 42.56% Triggered 11.11% 26.79% 31.28% 7 8 10
  • 11. James Forshaw @tiraniddo Accessible Device Objects 11 7 8 10 Windows 7 Windows 8.1 Windows 10 Read/Write 64 54 52 Read-Only 6 6 5
  • 13. James Forshaw @tiraniddo Isolated LSASS 13 Image from http://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130
  • 14. James Forshaw @tiraniddo But Sadly ● Not available in consumer builds only Enterprise ● Can’t use your own code to isolate anything ● Very restrictive use 14
  • 16. James Forshaw @tiraniddo Microsoft Edge Security 16 ActiveX is gone(ish) AppContainer Sandbox Always On
  • 17. James Forshaw @tiraniddo Microsoft Edge and Flash 17 Nope!
  • 18. James Forshaw @tiraniddo Has No One Learnt from the Past? 18
  • 19. James Forshaw @tiraniddo Guess Trident Wasn’t a Suitable Base? 19
  • 20. James Forshaw @tiraniddo User Account Control 20
  • 21. James Forshaw @tiraniddo They’ve Fixed Some Bugs I’ve Reported 21 https://code.google.com/p/google-security-research/issues/detail?id=156 https://code.google.com/p/google-security-research/issues/detail?id=220
  • 22. James Forshaw @tiraniddo UAC Auto Elevation Directory Check 22 c:windows c:windowstracingapp.exe app.exe ALLOWED BANNED
  • 23. James Forshaw @tiraniddo Folder Permissions 23 c:windows c:windowstracingapp.exe app.exe ALLOWED BANNED
  • 24. James Forshaw @tiraniddo AiCheckSecureApplicationDirectory Bypass 24 ● Need to be able to write a file with a secure path ● How can we write to C:Windows without writing to C:Windows? c:windows malicious.exe ALLOWED c:windows ???? ALLOWED?
  • 25. James Forshaw @tiraniddo NTFS Alternate Data Streams FTW! 25 c:windows tracing:malicious.exe ALLOWED ● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on directory to created named stream.
  • 26. James Forshaw @tiraniddo Didn’t Fix All my UAC Bypasses Though 26 https://code.google.com/p/google-security-research/issues/detail?id=219
  • 28. James Forshaw @tiraniddo 28 Well MS Almost Did If Token Level < Impersonate If Process has Impersonate Privilege ALLOWED Restrict to Identification Level If Process IL < Token IL If Process User == Token User Elevation Check
  • 29. James Forshaw @tiraniddo Elevated Token Impersonation ● Blocks impersonating an elevated token unless process token is also elevated ● Must be enabled in SeCompatFlags kernel flag 29 if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; } }
  • 30. James Forshaw @tiraniddo In The End Still the “Wrong” Default IMO! 30
  • 31. James Forshaw @tiraniddo If You Change Task Manager Needs a Prompt 31
  • 32. James Forshaw @tiraniddo Windows Symbolic Links 32 Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links
  • 33. James Forshaw @tiraniddo Mitigated in Sandboxes 33 NTFS Mount Points Registry Key Symbolic Links Object Manager Symbolic Links BANNED LIMITED LIMITED
  • 35. James Forshaw @tiraniddo DEMO NTFS Mount Point Mitigation Bypass 35
  • 38. James Forshaw @tiraniddo Making it Less Bad User Mode Font Driver 38 Disable Custom Font Policy (undocumented) PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = { 0 }; policy.DisableNonSystemFonts = 1; policy.AuditNonSystemFontLoading = 1; SetProcessMitigationPolicy( ProcessFontDisablePolicy, &policy, sizeof(policy));
  • 39. James Forshaw @tiraniddo User Mode Font Driver Only SYSTEM can open process?Running as user in AppContainer 39
  • 40. James Forshaw @tiraniddo Process Token Default DACL After September Patch 40 Before September Patch
  • 41. James Forshaw @tiraniddo Thread DACLs Allow User Access 41
  • 42. James Forshaw @tiraniddo Extra, UMFD Only Win32k Escape Calls 42 NtGdiEscape Command UMFD Escape Call 13 UmfdEscEngGetFileChangeTime 14 UmfdEscEngGetFilePath 15 UmfdEscEngComputeGlyphSet 16 UmfdEscEngCreateFile 17 UmfdEscParseFontResources 18 atmfdFontManagement (enable kernel ATMFD driver) And Others ...
  • 43. James Forshaw @tiraniddo UmfdEscEngCreateFile in Win32kFull.sys // Name is only SystemRootSystem32FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; } 43 // Name is SystemRootSystem32QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; } Before September Patch After September Patch
  • 44. James Forshaw @tiraniddo UmfdEscEngCreateFile in Win32kFull.sys // Name is only SystemRootSystem32FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); IoCreateFile(&FileHandle, FILE_GENERIC_READ, &Attrs, ..., FILE_OPEN, ..., IO_FORCE_ACCESS_CHECK); return FileHandle; } 44 // Name is SystemRootSystem32QLCLF.ATM, // ATMLIB.DLL or FAC.ATM HANDLE EngCreateFile(UNICODE_STRING Name, BOOL ReadOnly) { ACCESS_MASK Access = FILE_GENERIC_READ; OBJECT_ATTRIBUTES Attrs; HANDLE Handle = -1; ULONG Disposition = FILE_OPEN; if (!ReadOnly) { Access |= FILE_WRITE_DATA; Disposition = FILE_OPEN_IF; } InitializeObjectAttributes(&Attrs, &Name, OBJ_CASE_INSENSITIVE, ...); ZwCreateFile(&FileHandle, Access, &Attrs, ..., Disposition, ...); return FileHandle; } Before September Patch After September Patch Attacker Controlled No Security Check All Gone
  • 45. James Forshaw @tiraniddo Process Silos ● New process container mechanism ● Possibly related to docker support ● Works in a similar fashion to process jobs 45 NTSTATUS NtCreateSiloObject( PHANDLE handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
  • 46. James Forshaw @tiraniddo Opening Device Object 46 DeviceHarddisk1SomeName DeviceHarddisk1 SomeName Device Path Native NT Path Device Namespace Path Harddisk Driver Create File Handler Driver Responsible for Security
  • 47. James Forshaw @tiraniddo Replace the Root Object Directory 47 // Create anonymous directory object InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); NtCreateDirectoryObject(&hDir, &ObjectAttributes, ...); NtSetInformationSiloObject(hSilo, SiloObjectRootDirectory, &hDir, sizeof(hDir)); NtAssignProcessToSiloObject(hSilo, GetCurrentProcess()); // Process root directory now empty Exploit: https://code.google.com/p/google-security-research/issues/detail?id=459
  • 48. James Forshaw @tiraniddo Fixed in RTM ● Silo functionality rolled into Job objects ● Changed object directory now behind a TCB check ● Shame for Chrome, would have been a useful feature 48
  • 49. James Forshaw @tiraniddo Public Service Announcement Doing too much security research on Beta software can make you sad 49
  • 50. James Forshaw @tiraniddo (Dis)Honourable Mentions Control Flow Guard (CFG) Privacy Options Cumulative Updates Microsoft Cross-Signed Drivers 50
  • 51. James Forshaw @tiraniddo Conclusions 51 2 steps forward, 1 step back. Still plenty of things to attack!
  • 52. James Forshaw @tiraniddo DEMO Local System Elevation 52
  • 53. James Forshaw @tiraniddo Good Old Issue 222 53 https://code.google.com/p/google-security-research/issues/detail?id=222