https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/
1、容器安全
https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence.pdf
https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf
Developers are the new Targets
New Attacks: Host Rebinding & Shadow Container
Protect your PIPE: Scan images & Monitor Containers inRuntime
2、WEB安全
a) WEB缓存欺骗攻击
https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf
https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf
POC:
1. The attacker lures a logged-on user to accesshttps://www.bank.com/account.do/logo.png.
2. The victim's browser requests https://www.bank.com/account.do/logo.png.
3. The request arrives to the proxy, which is not familiar with this file, and thereforeasks the web server for it.
4. The web server returns the content of the victim's account page with a 200 OKresponse, meaning the URL stays the same.
5. The caching mechanism receives the file and identifies that the URL ends with astatic extension (.png). Because the mechanism is configured to cache all static filesand disregard any caching headers, the imposter .png file is cached. A new directorynamed account.do is created in the cache directory, and the file is cached with thename logo.png.
6. The user receives his account page.
7. The attacker accesses https://www.bank.com/account.do/logo.png. The requestarrives to the proxy server, which directly returns the victim’s cached account pageto the attacker's browser.
Exploit(Paypal中招):
https://www.youtube.com/watch?v=e_jYtALsqFs
b)应用安全成熟度模型
https://www.blackhat.com/docs/us-17/wednesday/us-17-Valtman-The-Art-Of-Securing-100-Products.pdf
3、 Ransomeware
a)Tracking desktopransomware payments
https://www.blackhat.com/docs/us-17/wednesday/us-17-Invernizzi-Tracking-Ransomware-End-To-End.pdf
Only 37% of users backup their data
Since 2016 “ransomware” search queries increased by 877%
Life of a ransomware infection
漏洞:
CVE-2017-0290
CVE-2016-7240
CVE-2016-7200
CVE-2017-5030
5、渗透测试
a) Microsoft The Industrial Revolution of Lateral Movement
https://www.blackhat.com/docs/us-17/thursday/us-17-Beery-The-Industrial-Revolution-Of-Lateral-Movement.pdf
当黑客团体的CEO必须要把黑客业务进行创新,并且快速增长;还需要开拓和扩展黑客业务;
Cyber Kill Chain从技术层面的攻击转向Cyber Value Chain价值链,黑客需要的是数据而不是原材料被攻击者的信息;
自动化的横向移动将会成为新的热点,包括WMI,PSEXEC,WINRM,ATEXEC等等
出现过的工具:
Gofetch(https://github.com/GoFetchAD/GoFetch)
DeathStar(https://github.com/byt3bl33d3r/DeathStar/blob/master/DeathStar.py)
Invoke-GoFetct
BloodHound(https://github.com/BloodHoundAD/BloodHound)
防御工具
https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
6、AV相关
a) SafeBreach Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox.pdf
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf
Lots and lots of research on exfiltration techniques,
• “Covert Channels in TCP\IP Protocol Stack” by Aleksandra Mileva and Boris Panajotov
• “A survey of covert channels and countermeasures in computer network protocols” bySebastian Zander, Grenville Armitage and Philip Branch
• “Covert timing channels using HTTP Catch Headers” by Dennis Kolegov, OlegBroslavsky and Nikita Oleksov
• “LED-it-GO Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED” byMordechai Guri, Boris Zadov, Eran Atias and Yuval Elovici
• “Diskfiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard DriveNoise” by Mordechai Guri, Yosef Solewicz, Andrey Daidakulov and Yuval Elovici• “BitWhisper: Covert Signaling Channel between Air-Gapped Computers using ThermalManipulations” by Mordechai Guri, Matan Monitz, Yisroel Mirski and Yuval Elovici
• Covert Communications Despite Traffic Data Retention” by George Danezis –N/A since IP ID is no longer implemented as a global counter
• Piggybacking UDP source port/payload (with spoofed source IP) e.g. DNS – egress filtering will kill it• “In Plain Sight: The Perfect Exfiltration” by Amit Klein and Itzik Kotler – AV services/SW updatedon’t have regular HTTP cache layer
“AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing” by Jeremy Blackthorne,Alexei Bulazel, Andrew Fasano, Patrick Biernat and Bülent Yener
• “Your sandbox is blinded: Impact of decoy injection to public malware analysis systems” byKatsunari Yoshioka, Yoshihiko Hosobuchi, Tatsunori Orii and Tsutomu Matsumoto
• “Enter Sandbox – part 8: All those… host names… will be lost, in time, like tears… in… rain”by Hexacorn Ltd.
“Sandbox detection: leak, abuse, test” by Zoltan Balazs
• “Art of Anti Detection 1 – Introduction to AV & Detection Techniques” by Ege Balci
• Google's Project Zero entry “Comodo: Comodo Antivirus Forwards Emulated API callsto the Real API during scans” by Tavis Ormandy
猥琐的案例:
Rocket
The Rocket is the main attacker malware, responsible for sensitive datacollection (which becomes the payload for exfiltration). The Rocketcontains a "vanilla" copy of another malware executable, called Satellite.
Satellite
The Satellite is the secondary malware executable, which triggers the AVagent and later conducts the actual exfiltration.
步骤:
0. The Attacker infects the endpoint with the Rocket
1. The Rocket collects sensitive data from the endpoint andembeds it into the Satellite
2. The Rocket writes the Satellite to disk and executes it
3. The Satellite triggers the AV agent
4. The AV agent sends the Satellite to the AV cloud servicefor further inspection
5. The AV cloud service executes the Satellite in a sandbox
6. The Satellite sends the collected data over the internet to theattacker
Exfiltration demonstrated possible with:
• Google VirusTotal (www.virustotal.com)
• Joe Security Joe Sandbox Cloud (www.file-analyzer.net) – only DNS, limited to 10 queries
• Payload Security Hybrid Analysis (www.reverse.it)
参考资料:
https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf
b) Getting-Past-The-Hype-Of-Endpoint-Security-Solutions
https://www.blackhat.com/docs/us-17/thursday/us-17-Giuliano-Lies-And-Damn-Lies-Getting-Past-The-Hype-Of-Endpoint-Security-Solutions.pdf
https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
https://www.mcafee.com/de/resources/solution-briefs/sb-indicators-of-attack.pdf
目前终端安全解决方案:
7、C&C
a)AD Botnet
https://www.blackhat.com/docs/us-17/wednesday/us-17-Miller-The-Active-Directory-Botnet.pdf
• What if the C2 servers exist inside your internal network?
• What if the C2 servers exist as a part of your critical infrastructure?
• What if the C2 servers use your production services for communication?
• What if the C2 servers can bypass your internal firewalls and networksegmentation to communicate with all hosts?
• What if the C2 servers can communicate with remote attackers using yourproduction cloud?
AD C2 channel的好处
• AD is a central authentication and access control point for organizations
• All end user devices need connectivity to AD for authentication
• All servers (or most) need connectivity to AD for authentication
• This means that AD is a central connectivity point for all systems
• This introduces the capability to bypass all network-layer security using AD
• All users can (by default) write data into their own account attributes
• When AD integrates with Azure AD, then direct remote controls is possible
8、虚拟化安全
a) FireEYE发布RVMI
https://www.blackhat.com/docs/us-17/thursday/us-17-Pfoh-rVMI-A-New-Paradigm-For-Full-System-Analysis.pdf
https://github.com/fireeye/rvmi
9、Powershell
a) Mandiant Powershell混淆
https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science.pdf
https://docs.microsoft.com/zh-cn/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
https://github.com/Invoke-IR/Uproot
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
Powershell混淆工具:
veil:https://github.com/Veil-Framework/Veil-Evasion
Powersploit:https://github.com/PowerShellMafia/PowerSploit
Empire:https://github.com/EmpireProject/Empire
10、信息安全
a) Protecting-Visual-Assets-Digital-Image-Counter-Forensics
https://www.blackhat.com/docs/us-17/wednesday/us-17-Mazurov-Brown-Protecting-Visual-Assets-Digital-Image-Counter-Forensics.pdf
Exif Viewer —https://addons.mozilla.org/firefox/addon/exif-viewer/
Stand-alone: ExifTool —https://www.sno.phy.queensu.ca/~phil/exiftool/
Meta信息删除
exiftool filename.jpg -overwrite_original -all=
GPS伪造
exiftool IMG_1270.jpg -GPSLatitude="36 deg 05', 18.4"" -GPSLongitude="115 deg 10', 40.2"" -GPSLongitudeRef=W -overwrite_original
Dheera Venkatraman, “Why blurring sensitive information is a bad idea” https://dheera.net/projects/blur
11、DEVSECOPS
a) Defending-Web-Applications-in-the-Age-of-DevOps
https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defending-Web-Applications-in-the-Age-of-DevOps.pdf
https://www.slideshare.net/zanelackey/building-a-modern-security-engineering-organization
The long and perilous journey of Dev->QA->Security->Dev- >Sysops->Production becomes just Dev->Production
Developer Training
– Threat Modeling
– Design Reviews
– Static Analysis
– Dynamic Scanning
– Pentesting
– Security Visibility
– Feedback
– Continuous Feedback
经验之谈:
1.Ability to detect attackers as early as possible in the attack chain
You want to know when the attacker discovers the vulnerability, long before the database goes out thedoor
2.Ability to continuously test and refine your vulnerability triage/response
The beauty of DevOps is that you can actually move faster than your attackers for the first time, especially the more you empower development / DevOps teams
3.Ability to continuously test and refine your incident response/DFIR/SecOps process
b)Orange-Is-The-New-Purple
https://www.blackhat.com/docs/us-17/wednesday/us-17-Wright-Orange-Is-The-New-Purple.pdf
Security's goals?create it securely,maintain it properly,prove it’s secure,plan for sunsetting;
Builder's goals?time to market,correctness,optimization,minimal defects;
-- SANS: 2016 State of Application Security: Closing the Gap
Blue Team provides feedback for Yellow Team, either via gained insight from PurpleTeam, or threat modeling, giving requirements and discussing solutions for:
- DFIR output- Log Generation & Activities- Capability for introspectiono Reference: http://gauss.ececs.uc.edu/Courses/c6056/pdf/logging.pdf
- Log content/events
- Log generationo Something as simple as timezone sync
- Change Management
- Integrity Monitoring
- Anti-V, Anti-M
- Full coverage monitoring
Red Team - Offensive security or “ethical hacking” of any type that has been authorizedby the organization (penetration testing, physical hacks, black-box testing, compliancetesting, social engineering, web app scanning, etc). “The Breakers”
Blue Team - Defensive security, traditionally protection, damage control, and IncidentResponse (IR). Can also include operational security, threat hunters. Data Forensics(DF). “The Defenders”
Purple Team – Common term for activities combining Red and Blue Teams. Thesejoint activities improve the security posture of a testing scope by building betterdefenses based on discovered weaknesses. Primary goal is to maximize the results ofRed Team activities and improve Blue Team capability.
White Team – All-knowing, neutral, third-party, set the rules of engagement, makes aplan, organizes the other teams, and monitors progress. This could include elements ofCompliance, Management, Analysts, and/or logistics (this is where my role mostlyoperates in the ecosystem). “The Game Masters”
Yellow Team - Individuals who practice the art of creating code, programmers,application developers, software engineers and software architects. “The Builders”.This is an entirely new concept being introduced via this paper.
c) AMAZON WEB SERVICES KILL CHAIN PENTEST
https://www.youtube.com/watch?v=fm4CqlxqQfs
12.机器学习
Endgame 在OPENAI基础上做的
https://github.com/endgameinc/gym-malware
13.内核Fuzzing
github.com/kernelslacker/trinity
https://github.com/intelpt
14.攻击Printer
https://github.com/RUB-NDS/PRET
15. 欺骗C&C
欺骗C&C,针对一些通用的C&C方式进行主动入侵防御和阻断;
https://github.com/countercept/doublepulsar-detection-script
16. ServerLess Pentest
https://gist.github.com/andrewkrug/3d3012eb045d996e5ab4ee0d7cd5214c
17. VMWARE API
利用VMWARE API在HOST对Guest进行代码执行漏洞;
https://github.com/guardicore/vmware_guest_auth_bypass
18. JAVA漏洞
JSON漏洞
https://github.com/mbechler/marshalsec
JdbcRowSetImpl.setAutoCommit Gadget
Defcon
1、COM C&C
https://github.com/zerosum0x0/koadic
2、攻击持续集成
https://github.com/spaceB0x/cider