HITB-Invoice-Logo

REGISTRATION CLOSES 22ND AUG

LATE: USD1299

Register

STUDENTS: USD250

Suborner: Windows Bribery for Invisible Persistence

Date

August 26, 2022

Time

14:00

Track

Main Track

Whenever an attacker is trying to persist the access on a compromised machine, the first offensive approach usually involves the creation of a new identity. Nevertheless, this may not work easily under hardened environments with diverse detection mechanisms against common attack vectors.

What if we “suborn” Windows to create our own hidden account that will grant us total access to a victim, while stealthily impersonating any account we want?

Now it is possible with the Suborner Attack. This technique will dynamically create an invisible machine account with custom credentials and custom properties without calling any user management Win32 APIs (e.g. netapi32.dll::netuseradd) and therefore evading detection mechanisms (e.g Event IDs 4720, 4721). By “suborning” Windows, we can also impersonate any desired account to keep our stealthiness even after a successful authentication/authorization.

To show its effectiveness, the attack is going to be demonstrated against the latest Windows version available.

Speakers

PhD Student

University of California

Sebastián Castro (@r4wd3r) is an information security specialist with experience as a network & application pentester, red teamer, and vulnerability researcher since 2013. Born in Bogotá, Colombia, he has contributed to the evolution of well-known community projects, and discovered critical security issues in corporative software and Operating Systems. In 2020, he co-authored a book released in many countries about red teaming with the publisher 0xword. Sebastian is currently a Ph.D. student at the University of California and is one of the proud captains of its CTF team. He has also taught courses to universities and private organizations about malware analysis, exploit development and vulnerability research. As an international speaker, he has presented his own research at international conferences, such as Black Hat Arsenal, Derbycon, BSides, SEC-T, and Romhack.

Other Talks in This Track

LOCATION

Main Track

DATE

August 26

TIME

09:00

LOCATION

Main Track

DATE

August 26

TIME

10:30

LOCATION

Main Track

DATE

August 26

TIME

15:00

LOCATION

Main Track

DATE

August 26

TIME

16:30