(In)Secure Remote Operations: What Sucks, Rocks, and a Super-CLI

By Yossi Sassi

Elevator Pitch

Every admin tool is an attack tool. Coming from dozens of engagements on remoting architectures & Red Team assessments in 4 continents, this Hands-on session dives into the good, bad & “wow! can this be done??” of Windows ‘Living off the land’ remote operations, Protocols and APIs

Description

Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents - we’ll present technical, hands-on examples of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols and APIs. from IPC mechanisms (Named Pipes, mailslots etc’) through RPC (WMI / DCOM / Multiple LoLBins), WinRM / PSRemoting, RDP and more. Pros and Cons for jump server architectures, as well as role-based shells for everyone! We’ll also present how to limit powershell in creative ways, and demonstrate a super CLI, fully audited, whitelisted to do exactly what you want it to do, single port, fully encrypted, copies files, sends local variables to remote sessions and much more! but.. also show how we can manipulate remote sessions without any credentials exposed to fully take over the account :)

Notes

Speaking at DeepSec Vienna 2023, Hacktivity 23’, DevOpsDays Vilnius 23’, bSides Krakow 23’, x33fcon 23’, Craft 2023 closing keynote, NullCon 2023, HackCon 2023, SEC-T 2022, Reversim 2022 keynote, SecurityFest 2022, Hack In Paris 2022, SecurityWeekly, Colombia 4.0 keynote, Brazil’s national Cyber Security conference, Bsides TLV (2019, 2020, 2021), OSDF Con 2021, MTB/MGB (microsoft), Israel’s national directorate geo-cyber event(s) in Tel Aviv, TED / TEDx and more.

Research on Windows shell defenses bypass & PowerShell bypass (invisi-shell) published on github. Another open source Research and tool for detecting Golden Tickets & Pass-The-Hash in Microsoft domain environments (agentless, real time) published also on github (GOLDFINGER).

A. SEC-T 2022 - ‘When SysAdmin & Hacker Unite’ - https://www.youtube.com/watch?v=4iAM76n1b5o

B. The ‘Microsfot Mainframe’ - talk @ SecurityFest 2022 - https://youtu.be/dVf90-T9lcI?t=735

C. “ Forensic artificats that make you go hmmm… “ - talk @ BSidesTLV 2021 - https://www.youtube.com/watch?v=60Y07kdcIcw

D. ‘Powershell as a hacking tool’ @ BSides TLV 2019 - https://www.youtube.com/watch?v=Bg_Iy6gpq30

E. The H@כker mindset - Information Security Reality Vs. Myths - Talk @ Brazil’s government/public sector conference - https://www.youtube.com/watch?v=NQllXfX7nNs&t=4753s

F. .. and my music :) - https://www.youtube.com/watch?v=d8MAmmIBJng (Public speaking is Not the only stage I feel comfortable at..)