Network Defender Archaeology – A Trip to BlackHat Europe
We are just wrapping up our time here in London, UK at the annual BlackHat Europe 2018 conference. We were fortunate enough to be accepted to give a talk, “Network Defender Archeology – An NSM Case Study in Lateral Movement” on Thursday, December 6, 2018. The presentation provided an overview on COM/DCOM as a lateral movement technique with a big focus on detection and forensic analysis of the associated behaviors.
Abstract Excerpt:
Adversaries love leveraging legitimate functionality that lays dormant inside of Microsoft Windows for malicious purposes and often disguise their activity under the smoke screen of “normal administrator behavior.” Over the last year, there has been a significant surge in the malicious use of Component Object Model (COM) objects as a “living off the land” approach to lateral movement. COM, a subsystem that has been around since the early days of Microsoft Windows, exposes interfaces and functionality within software objects and has the ability to share this functionality over the network via Distributed COM (DCOM). With over 20 years in existence and over a year of relative popularity among adversaries, one would imagine that network analysis and detection of DCOM attacks was old news. On the contrary, very few people understand the techniques, tools fail to properly parse the network protocol, and adversaries continue to successfully leverage it to further the compromise of networks. Needless to say, it’s difficult to defend against techniques that the defenders don’t understand.
Now that the talk is over, we are happy to share out our content: the slide deck we presented, as well as a 26 page whitepaper providing a slightly deeper dive into the material in case you weren’t able to catch the talk. Thanks to everyone at BlackHat for working with us and putting on a great conference. Additionally, thanks to all the attendees who came out to chat and ask good questions.
Until next time – Happy Hacking!
Resources: