Awesome
Evading Autoruns - DerbyCon 7.0
Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017)
Watch the talk on YouTube
Abstract
When it comes to offense, maintaining access to your endpoints is key. For defenders, it's equally important to discover these footholds within your network. During this talk, Kyle and Chris will expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass will include a live demo and recommendations for detection.
For the past 10 years, Kyle Hanslovan has supported defensive and offensive cyber operations in the U.S. Intelligence Community and currently is the CEO of Huntress Labs. He actively participates in the ethical hacking community as a Black Hat conference trainer, STEM mentor, and Def Con CTF champion. Additionally, he serves in the Maryland Air National Guard as a Cyber Warfare Operator. Chris Bisnett is a veteran information security researcher with more than a decade of experience in offensive and defensive cyber operations. While serving with the NSA RedTeam, he attacked government networks and systems to identify and remedy vulnerabilities. He is also a recognized Black Hat conference trainer for the “Fuzzing For Vulnerabilities” and ""Embedded Fuzzing"" courses.
References
- Autoruns for Windows
- Hasherezade Shell32.dll
- Casey Smith SyncAppvPublishingServer
- Nick Landers SyncAppvPublishingServer on Win7
- Kyle Hanslovan SyncAppvPublishingServer Nesting
Credits
Thanks to:
- Mark Russinovich (@markrussinovich)
- Casey Smith (@subTee)
- Matt Graeber (@mattifestation)
- @Hasherezade
- and of course DerbyCon for having us!