It was a whirlwind week in the infosec community at “Hacker Summer Camp,” and many great talks, tools, and projects were unleashed at BlackHat 2017 and DEF CON 25. Here are some of my favorites from last week in Las Vegas.

From SpecterOps

An ACE Up the Sleeve from BlackHat and DEF CON

@harmj0y and @_wald0 discussed the built-in Access Control Lists (ACLs) in Active Directory that are often misconfigured in ways that can be exploited for privilege escalation and as a stealthy backdoor. They discuss how to audit these entries across a network and how to use rarely-examined attributes as a method of “malware-less” persistence in an environment. @harmj0y added ACLs into the PowerView toolkit for both pentesters and defenders to use.

An Ace Up the Sleeve whitepaper
An Ace Up the Sleeve slides
PowerView on GitHub

BloodHound 1.3 from BlackHat Arsenal

Building off the AD ACL research, @cptjesus, @_wald0, and @harm0y demonstrated the new integration of Access Control Entries (ACE) into BloodHound to map out attack paths that use misconfigured ACLs for privilege escalation. When users or groups can modify the attributes of other objects, like password resets and adding to groups, an attacker can use LDAP to escalate privileges without using any exploits or credential dumping at all.

BloodHound on GitHub
BloodHound 1.3 Update blog post

Automated Collection and Enrichment from BlackHat Arsenal

On the defensive side, @jaredcatkinson and @robwinchester3 debuted ACE, which enables threat hunters to deploy scripts and collect data across an enterprise when installing an agent isn’t an option. The endpoint data is then enriched with transformations such as hashing and submitting to VirusTotal, or other sources of threat intelligence. The results from ACE can be ingested into a SIEM or stored as CSVs to help defenders query their enterprise for anything that can be scripted, with extensibility and flexibility as key design features.

ACE on GitHub

From Others

Koadic C3 from DEF CON

Koadic COM Command and Control, from @zerosum0x0, @Aleph__Naught, and the red team at @RiskSense, is a tool for red teamers to use COM and JScript as the basis for a full-fledged RAT. COM, or the Component Object Model, is built deeply into nearly all components of Windows, exposing a largely untapped attack surface. Building off previous COM research by @enigma0x3 and @subtee, and using @tiraniddo’s DotNetToJScript tool to great effect, Koadic shows that legacy technologies in Windows continue to produce new tools and research for red teamers.

Koadic C3 slides
Koadic on GitHub

zerosum0x0 and Aleph__Naught also posted their Windows Exploitation workshop from DEF CON, with code samples and 251 slides of extremely useful information about Windows internals used by malware.

Risksense Defcon 25 Workshop on GitHub

The Industrial Revolution of Lateral Movement/GoFetch from BlackHat, BlackHat Arsenal, and DEF CON

@TalBeerySec and @talthemaor demoed GoFetch, a tool that can automatically execute attack paths from BloodHound. The automation of lateral movement is part of the “industrial revolution” that shows a growing threat in cybersecurity: intelligent, automated, wormable movement available to pentesters, criminal groups, and malware authors. As lateral movement becomes automated, it is no longer a capability reserved only for sophisticated threat actors. Defenders must resolve the issue of overprivileged accounts and groups within the network.

The Industrial Revolution of Lateral Movement slides
GoFetch on Github

Friday the 13th: JSON Attacks from BlackHat and DEF CON

@pwntester and Oleksandr Mirosh released their research on exploiting JSON and .NET deserialization. Who knew that taking user-controlled data and mapping it into memory based on user-controlled fields could be so dangerous? ¯\_(ツ)_/¯ Like the Java deserialization bug made popular by Foxglove Security in 2016, JSON and .NET deserialization can lead to remote code execution, and the default libraries used in many applications are vulnerable. Their accompanying whitepaper details the many JSON and .NET serialization libraries they tested and the CVEs awarded along the way.

Friday the 13th JSON Attacks whitepaper
Friday the 13th JSON Attacks slides

UAC 0Day, All Day! DEF CON Workshop

@FuzzySec walks through User Account Control (UAC), its role and design in Windows Vista/7/8/8.1/10, and how to utterly break it in many different ways, including bypasses made public for the first time at DEF CON. Plenty of code samples and informative slides.

UAC 0Day, All Day! on GitHub

Leveraging PowerShell DEF CON Workshop

@Carlos_Perez, one of the OG PowerShell red teamers, presented a workshop called Fundamentals of Leveraging PowerShell, and there are plenty of fundamentals. The 287 slides cover the basics of PowerShell, its design, its integration with .NET, and, importantly, how PowerShell is delivered, used, and weaponized in concert with WMI (for recon and lateral movement) and Active Directory (for privilege escalation, recon, and lateral movement).

Leveraging PowerShell on GitHub
Leveraging PowerShell slides

sRDI from BlackHat

sRDI, by @monoxgas, is the shellcode implementation of Reflective DLL Injection, and can convert DLL files into position independent shellcode. This greatly reduces the pain of generating shellcode and means red teamers can write their shellcode in higher level languages like C#, C++, or C and compile it to a DLL instead of mucking about with assembly.

sRDI on GitHub

certutil.exe Research

While not officially released at DEF CON or BlackHat, I felt it deserved attention. @subtee has been dropping tantalizing information about certutil.exe, Microsoft’s utility for certificates, and how it can be used for offensive tradecraft. Besides being a useful built-in base64 encoder and decoder, subtee tweeted about a little-known flag for certutil to download and upload from URLs, then teased the world with this short video of command execution:

https://twitter.com/subTee/status/889173356284530688

There were far too many quality releases at BlackHat USA 2017, BSidesLV, and DEF CON to possibly cover all of them here, but the above tools and talks generated lots of excitement for both red and blue teams. DerbyCon 7.0 looks to continue the trend with an incredible lineup of speakers, so be sure to catch SpecterOps in Louisville in September.