SlideShare a Scribd company logo

CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Application Compatibility Framework by JON ERICKSON

CODE BLUE
CODE BLUE

Microsoft has often used Fix It patches, which are a subset of Application Compatibility Fixes, as a way to stop newly identified active exploitation methods against their products. At Derbycon 2013 Mark Baggett discussed ways that attackers can use them for creating rootkits. Then in March of 2014 I presented an analysis of the previously undocumented in-memory patch and showed how attackers could use these to create patches and maintain persistence on a system. This talk will provide an overview and summary of the previous work and then show how it’s currently being used in the wild. I’ll first show how third parties are using the application toolkit for valid reasons. I will then show two instances, active and ongoing in the wild, of malware using the methods we’ve described.

Technology
1 of 70
Download to read offline
The active use and exploitation of Microsoft's Application Compatibility Framework Jon Erickson
Me !  Jon Erickson (@2130706433) !  Sr. Labs Engineer at iSIGHT Partners
Not Me! !  I’m not that Jon Erickson ☺ Although I would be happy to sign your book.
iSIGHT Partners !  Best commercial cyber intelligence provider on the planet. !  Highly Differentiated –  Forward looking, adversary focused intelligence, actionable advice –  Intelligence for multiple levels: executive, operational and technical –  Only vendor with true global intelligence collection presence Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     4   www.isightpartners.com
Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
Background Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     6  
Why use Application Compatibility Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     7  
Some Examples Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     8   http://en.dark-omen.org/downloads/view-details/5.-miscellaneous/vista-/-windows-7-crash-fix.html Fix’s Crash when alt-tab is pressed
Some Examples Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     9   http://en.dark-omen.org/downloads/view-details/5.-miscellaneous/vista-/-windows-7-crash-fix.html Fix’s Crash when alt-tab is pressed
Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
Tools !  Application Compatibility Toolkit (Microsoft) !  Sdb2xml (Microsoft) !  cdd (Alex Ionesceu) !  sdbinst (Microsoft) !  sdb-explorer (Jon Erickson) Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     11  
Application Compatibility Toolkit !  Used to create and view SDB files Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     12  
sbd2xml !  Created by Heath Stewart (2007) !  Can dump patch_bits information !  Does not parse in-memory fix its. Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     13  
Compatibility Database Dumper (CDD) Compatibility Database Dumper (CDD) v1.0 Copyright (C) 2007 Alex Ionescu http://www.alex-ionescu.com usage: cdd.exe [-s][-e][-l][-f][-p][-d kernel-mode database file][-a user- mode database file] -s Show shims -e Show executables -l Show layers -f Show flags -p Show patches -d Use Blocked Driver Database from this path -a Use Application Compatibility Database from this path Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     14  
Installing SDB Files sdbinst [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" -? - print this help text. -p - Allow SDBs containing patches. -q - Quiet mode: prompts are auto-accepted. -u - Uninstall. -g {guid} - GUID of file (uninstall only). -n "name" - Internal name of file (uninstall only). Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     15   NOTE: Requires Administrator privilege
Installing SDB Files !  Registry Locations –  HKLMSOFTWAREMicrosoftWindows NTCurrentVersion AppCompatFlagsCustom –  HKLMSOFTWAREMicrosoftWindows NTCurrentVersion AppCompatFlagsInstalledSDB !  Default File Locations –  C:WindowsAppPatchCustom –  C:WindowsAppPatchCustomCustom64 Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     16  
Installing SDB Files sdb-explorer.exe -r filename.sdb [-a application.exe] –  Does NOT show up in Add remove programs –  Does NOT copy SDB to default location –  Requires Administrator privileges Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     17   Note regarding 64bit Patches: The path of the SDB file MUST contain Custom64
Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
Prior Work !  Alex Ionesceu –  Secrets of the Application Compatibility Database (SDB) !  Mark Baggett –  Windows – Own3d by Default !  Jon Erickson –  Persist-It – Using and Abusing Microsoft Fix It Patches !  Chris Graham –  Shimming Your Way Past UAC Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     19  
Prior/ Related Work Secrets of the Application Compatibility Database (SDB) - Alex Ionesceu 1 ) Introduction 2 ) System Shims – The Most Interesting Ones 3 ) The Private Shim Engine Interface With The PE Loader 4 ) Built-in Shimmed Applications and Specific Shims – A Sample Never Released: 5 ) Tool 1 – CDD – Compatibility Database Dumper 6 ) Flag Shims – LUA and Installer Flags 7 ) The Run-Time In-Memory Patching Behavior and Analysis 8 ) The System Blocked Driver Database – The Kernel Side of SDB 9 ) Conclusion and Tool 2 Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     20  
System Shims !  C:WindowsAppPatch !  sysmain.sdb drvmain.sdb msimain.sdb pcamain.sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     21  
System Shims !  sdb-explorer –t sysmain.sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     22  
System Shims !  %WINDIR%AppPatchen-USAcRes.dll.mui– has descriptions in its string table. !  60192, "Shim which intercepts the ShowWindow API call and fixes the problem due to tabbed browsing architecture changes in IE. The window an application finds is not the top level window any more, but the child tab window. Caught the ShowWindow API which checks if the class and process name of the window is IE's tab window. And then calls the real ShowWindow on the top level parent window." !  60193, "This compatibility fix fixes problems with any application that uses the Shrinker resource compression library. This library hacks resource functions in ntdll and kernel32 and redirect calls into their own function routines. But Ntdll code has different opcodes in Windows XP. The program failed to find the opcode signature and decided to cancel WriteProcessMemory call to write their redirection. Because of this, the necessary decompression of program code and resources were not executed and caused access violation. Shrinker compatibility fix resolves this by providing necessary opcode signature so the app could write those redirection into ntdll." Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     23  
System Shims !  %WINDIR%AppPatchja-JPAcRes.dll.mui – has descriptions in its string table. !  60192, " ShowWindow API 呼び出しを途中で取得し、IE のタブ ブラウズ アーキテクチャ変更による問 題を修正する shim です。アプリケーションが検索するウィンドウは最上位ウィンドウではなく、子タブの ウィンドウになります。ウィンドウのクラスとプロセス名が IE のタブ ウィンドウであるかどうかを確認する ShowWindow API をキャッチしました。次に、最上位の親ウィンドウで実際の ShowWindow を呼び出し ます。.“ !  60193, "この互換性修正プログラムは、Shrinker リソース圧縮ライブラリを使用するアプリケーションの 問題を修正します。このライブラリは、ntdll と kernel32 のリソース関数をハッキングし、呼び出しをリソー ス関数の関数ルーチンにリダイレクトします。ただし、Windows XP では Ntdll コードに異なるオペコード があります。プログラムはオペコード署名の確認に失敗し、リダイレクトを書き込むための WriteProcessMemory 呼び出しの取り消しを決定しました。このため、プログラム コードとリソースの圧 縮解除が実行されず、アクセス違反が発生しました。Shrinker 互換性修正プログラムは、アプリケーショ ンがリダイレクトを ntdll に書き込めるように必要なオペコード署名を提供して、この問題を解決します。 Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     24  
Prior Work !  Alex Ionesceu –  Secrets of the Application Compatibility Database (SDB) !  Mark Baggett –  Windows – Own3d by Default !  Jon Erickson –  Persist-It – Using and Abusing Microsoft Fix It Patches !  Chris Graham –  Shimming Your Way Past UAC Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     25  
Prior/ Related Work !  Mark Baggett –  Windows - Owned By Default! (DerbyCon 2013) –  Process Execution Redirection –  API Hooking –  Hiding in the File System –  Hiding in the Registry –  Disable Security Features of the OS –  Execute Backdoors Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     26  
InjectDll Details 2524a TAG 7004 - SHIM 25250 TAG 6001 - NAME: InjectDll 25256 TAG 600a - DLLFILE: AcGenral.DLL 2525c TAG 9010 - FIX_ID: {GUID} 25272 TAG 1002 - GENERAL 25274 TAG 4028 - DESCRIPTION_RC_ID: 60155 (0xeafb) !  AcGenral.dll !  NS_InjectDll::NotifyFn() !  LoadLibraryW() Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     27  
RedirectEXE 26dbc TAG 7004 – SHIM 26dc2 TAG 6001 - NAME: RedirectEXE 26dc8 TAG 600a - DLLFILE: AcGenral.DLL 26dce TAG 9010 - FIX_ID: {GUID} 26de4 TAG 1002 - GENERAL 26de6 TAG 4028 - DESCRIPTION_RC_ID: 60176 (0xeb10) AcGenral.dll NS_RedirectEXE::NotifyFn() CreateProcessA() CloseHandle(hProcess) CloseHandle(hThread) ExitProcess() Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     28  
Prior Work !  Alex Ionesceu –  Secrets of the Application Compatibility Database (SDB) !  Mark Baggett –  Windows – Own3d by Default !  Jon Erickson –  Persist-It – Using and Abusing Microsoft Fix It Patches !  Chris Graham –  Shimming Your Way Past UAC Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     29  
Fix-It Patch Analysis !  How is this different from patches released on patch Tuesday? –  BinDiff mshtml.dll from MS13-097 vs. MS14-010 !  465 Different matched functions !  16 unmatched functions –  Fix It Patch for CVE-2013-3893 !  2 Changes Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     30  
Preventing 0-Day Exploitation !  CVE-2014-4114/ CVE-2014-6352 (October/November 2014) –  OLE Packager Vulnerability !  CVE-2014-0322 (February 2014) –  IE Use After Free !  CVE-2013-3893 (September 2013) –  IE Memory Corruption !  CVE-2012-4792 (December 2012) –  IE Use After Free !  CVE-2012-1889 (June 2012) –  XML Core Services
Sandworm CVE-2014-4114 InfDefaultInstall.exe “EVIL.inf”
Sandworm CVE-2014-4114 InfDefaultInstall.exe “EVIL.inf”
Sandworm CVE-2014-4114 Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     34   InfDefaultInstall.exe “EVIL.inf” Steps: • PowerPoint Loads packager.dll to handle Packager Object • Packager.dll copies evil.inf to Temp folder • PowerPoint Animation invokes packager.dll DoVerb command • DoVerb command performs “right click” context menu action for install. • Packager.dll launches InfDefaultInstall to handle “install” action.
Sandworm CVE-2014-4114 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     35   InfDefaultInstall.exe “EVIL.inf” Steps: • PowerPoint Loads packager.dll to handle Packager Object • Packager.dll copies evil.inf to Temp folder - Mark file unsafe • PowerPoint Animation invokes packager.dll DoVerb command • DoVerb command performs “right click” context menu action for install. • Packager.dll launches InfDefaultInstall to handle “install” action. - Checks for unsafe flag - Prompts Users FIXED October 2014
Sandworm CVE-2014-4114 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     36   InfDefaultInstall.exe “EVIL.inf”
CVE-2014-6352 !  CVE-2014-4114 Bypasses Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     37   Google found in the wild Haifei Li found and notified Microsoft IDLE starts Executing special .py file
CVE-2014-6352 !  CVE-2014-4114 Bypasses Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     38   Google found in the wild (Haifei Li found) IDLE starts And executes special .py file
Sandworm Bypass Fix-It 1cae TAG 7007 - EXE 1cb4 TAG 6001 - NAME: POWERPNT.exe 1cba TAG 6006 - APP_NAME: POWERPNT.exe 1cc0 TAG 6005 - VENDOR: Microsoft 1cc6 TAG 9004 - EXE_ID: {D82187EB-A66D-4A6A-B6BA-0F5738B5D08E} 1cdc TAG 9011 - APP_ID: {F503FB56-18CF-4B58-80D0-02AC0D38D698} 1cf2 TAG 7008 - MATCHING_FILE 1cf8 TAG 6001 - NAME: * 1cfe TAG 6009 - COMPANY_NAME: Microsoft Corporation 1d04 TAG 7008 - MATCHING_FILE 1d0a TAG 6001 - NAME: %windir%System32packager.dll 1d10 TAG 5002 - BIN_FILE_VERSION: 6.1.7601.18601 1d1a TAG 400b - PE_CHECKSUM: 79169 (0x13541) 1d20 TAG 700a - PATCH_REF 1d26 TAG 6001 - NAME: ef1de1e8-f835-470d-819c-228118f7eb22 1d2c TAG 4005 - PATCH_TAGID: 972 (0x3cc) Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     39  
Sandworm Bypass Fix-It !  Output from sdb-explorer Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     40  
Sandworm Bypass Fix-It Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     41   With Fix It
CVE-2014-6352 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     42   Steps: • PowerPoint Loads packager.dll to handle Packager Object. • Packager.dll copies evil.inf to Temp folder. - Mark file unsafe (from CVE-2014-4114 Fix). • PowerPoint Animation invokes packager.dll DoVerb command. • DoVerb command performs “right click” context menu action for edit. • Prompts User • Packager.dll launches IDLE to handle “Edit with IDLE” action. • IDLE Looks for python file with specific name and executes it. • Doesn’t care about unsafe flag. IDLE starts Executing evil2.py FIXED November 2014
CVE-2014-6352 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     43   IDLE starts Executing evil2.py
CVE-2014-6352 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     44   IDLE starts Executing evil2.py
In-Memory Patches !  Application Compatibility Toolkit has no concept of in-memory patches Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     45  
Analyzing CVE-2014-6253 Fix-It !  October 21st, 1 week after CVE-2014-4114 was patched. !  Targets: (sdb-explorer.exe -d CVE-2014-6352-32bit-Shim.sdb) %windir%System32packager.dll (6.0.6002.19192) Checksum = (0x1708a) %windir%System32packager.dll (6.0.6002.23496) Checksum = (0x1a612) %windir%System32packager.dll (6.1.7601.18601) Checksum = (0x13541) %windir%System32packager.dll (6.1.7601.22809) Checksum = (0x171ab) %windir%System32packager.dll (6.2.9200.17121) Checksum = (0x14f94) %windir%System32packager.dll (6.2.9200.21237) Checksum = (0x17675) %windir%System32packager.dll (6.3.9600.17341) Checksum = (0x173b6) %windir%SysWOW64packager.dll (6.0.6002.19192) Checksum = (0x1708a) %windir%SysWOW64packager.dll (6.0.6002.23496) Checksum = (0x1a612) %windir%SysWOW64packager.dll (6.1.7601.18601) Checksum = (0x13541) %windir%SysWOW64packager.dll (6.1.7601.22809) Checksum = (0x171ab) %windir%SysWOW64packager.dll (6.2.9200.17121) Checksum = (0x14f94) %windir%SysWOW64packager.dll (6.2.9200.21237) Checksum = (0x17675) %windir%SysWOW64packager.dll (6.3.9600.17341) Checksum = (0x173b6) Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     46  
Analyzing CVE-2014-6253 (sdb-explorer) !  sdb-explorer.exe -t my.sdb !  Prints Tree View, similar to sdb2xml Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     47  
Analyzing CVE-2014-6253 (sdb2xml) !  sdb2xml my.sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     48  
Patch Details !  patch, patchbits, patchref, patch_tag_id, checksum Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     49  
Patch Details Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     50   sdb-explorer.exe -p CVE-2014-6352-32bit-Shim.sdb 0x2ea
IDAPython Script Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     51   sdb-explorer.exe -i -p CVE-2014-6352-32bit-Shim.sdb 0x2ea
Persist-It !  sdb-explorer !  Explanation of in-memory patch file format. –  Lots of details !  Shows how to analyze fix-it patches !  Showed how to create your own in-memory patches. Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     52  
Prior Work !  Alex Ionesceu –  Secrets of the Application Compatibility Database (SDB) !  Mark Baggett –  Windows – Own3d by Default !  Jon Erickson –  Persist-It – Using and Abusing Microsoft Fix It Patches !  Chris Graham –  Shimming Your Way Past UAC Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     53  
Shimming Your Way Past UAC !  Windows signed files with “AutoElevate” permission. –  Example: SndVol.exe !  Uses RedirectEXE shim type. !  Steps: –  Create Shim for SndVol.exe that does RedirectEXE to evil.exe –  Register Shim –  Start SndVol.exe Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     54  
Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
EMET !  The Enhanced Mitigation Experience Toolkit !  DEP !  SEHOP !  Null Page !  Heap Spray Protection !  EAF !  Mandatory ASLR !  ROP Detection !  Attack Surface Reduction Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     56  
EMET !  %WINDIR%AppPatchEMET.dll !  %WINDIR%AppPatchAppPatch64EMET.dll Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     57  
EMET !  EMET Shim Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     58  
Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
Real World Examples !  Search Protect !  BlackEnergy !  Win32/Farfli.BEK Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     60  
Search Protect !  Potentially unwanted program (PUP) –  Adware !  Now using Application Compatibility to persist –  Uses InjectDll Shim –  Loads Search Protect library into browsers Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     61  
BlackEnergy/Quedagh !  Recently targeting Ukrainian Government. !  Uses UAC Bypass. –  Same technique as Chris Graham !  Driver Signing Bypass –  Shim? –  To patch user32.dll-mui https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
Win32/Farfli.BEK Persistence !  Anton Cherepanov – ESET Reported at ZeroNights 2014 Win32/Farfli.BEK drops following files: %WINDIR%AppPatchmsimain.mui – raw code %WINDIR%AppPatchAcProtect.dll Drops Shim DataBase & registers it: %WINDIR%AppPatchCustom%GUID%.sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     63  
Win32/Farfli.BEK Persistence !  EMET-Style sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     64  
What Can You Do? !  Disable the Shim Engine –  I do NOT recommend this –  Breaks EMET –  Disables 0day Fix-Its !  GPEdit.msc –  Administrative Templates Windows Components Application Compatibility Turn off Application Compatibility Engine Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     65  
Recommendations !  Search your registry and File System –  Your system will have SDB Files, there are defaults –  Use the knowledge you gained !  AutoRuns (SysInternals) does not consider Application Compatibility Fixes –  They are aware and are working on it ☺ !  Add signatures to SDB files (Microsoft) !  Notification of non-signed SDB files running, or about to run (Microsoft) Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     66  
Summary !  Application Compatibility Toolkit is a new method attackers are using today. !  This is not a vulnerability !  This is a feature that attackers are abusing !  Defenders should start looking for this on the machines in their networks. !  SDB File requires Administrator privilege to install Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     67  
References !  Baggett, M. (2013, February 23). 2013 Posts and Publications. Retrieved October 23, 2013, from In Depth Defense: http://www.indepthdefense.com/2013/02/2013-posts- and-publications.html !  Ionescu, A. (2007, May 20). Secrets of the Application Compatilibity Database (SDB) – Part 1. Retrieved September 5, 2013, from Alex Ionescu's Blog: http://www.alex- ionescu.com/?p=39 !  Ionescu, A. (2007, May 26). Secrets of the Application Compatilibity Database (SDB) – Part 3. Retrieved September 5, 2013, from Alex Ionescu’s Blog: http://www.alex- ionescu.com/?p=41 !  Mark Russinovich, B. C. (2013, August 1). Autoruns for Windows v11.70. Retrieved September 5, 2013, from Windows Sysinternals: http://technet.microsoft.com/en-us/ sysinternals/bb963902.aspx !  Microsoft. (2013, September 6). !chkimg. Retrieved October 2, 2013, from Dev Center: http://msdn.microsoft.com/en-us/library/windows/hardware/ff562217%28v=vs. 85%29.aspx !  Microsoft. (2013, October 1). Application Compatibility Database. Retrieved October 23, 2013, from Microsoft Developer Network: http://msdn.microsoft.com/library/ bb432182.aspx !  Microsoft. (2013). Fix it Solution Center. Retrieved 2013 24-October from Microsoft Support: http://support.microsoft.com/fixit/ !  Microsoft. (2012, October 1). Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution. Retrieved September 5, 2013, from Microsoft Support: http://support.microsoft.com/kb/2719615 !  Microsoft. (2012, December 7). Shim Database Types. Retrieved September 5, 2013, from Microsoft Developer Network: http://msdn.microsoft.com/en-us/library/ bb432483%28v=vs.85%29.aspx !  Sikka, N. (2013, September 17). CVE-2013-3893: Fix it workaround available. Retrieved October 02, 2013, from Security Research & Defense: http://blogs.technet.com/b/ srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx !  Stewart, H. (2007, November 3). Shim Database to XML. Retrieved September 5, 2013, from Setup & Install by Heath Stewart: http://blogs.msdn.com/b/heaths/archive/ 2007/11/02/sdb2xml.aspx !  http://blogs.msdn.com/b/maartenb/archive/2009/07/24/disabling-a-shim.aspx !  https://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx !  ddilabs.blogspot.com/2014/05/shimming-your-way-past-uac.html Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     68  
Thanks !  Kat, Josh, Sam, zen, Mac, Mike, Dave, Sean, Darel, Brad A., Matt G., Mark B., Chris G, Mark R., Microsoft, iSIGHT Partners, and all others who will remain nameless.
Questions !  jerickson <@> isightpartners.com !  Source Code: –  https://github.com/evil-e/sdb-explorer

Recommended

Accelerating Development with Organizational Opinions
Accelerating Development with Organizational OpinionsAccelerating Development with Organizational Opinions
Accelerating Development with Organizational OpinionsVMware Tanzu
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Using JavaScript to Build HTML5 Tools (Ian Maffett)
Using JavaScript to Build HTML5 Tools (Ian Maffett)Using JavaScript to Build HTML5 Tools (Ian Maffett)
Using JavaScript to Build HTML5 Tools (Ian Maffett)Future Insights
 
User interface customization for aem6 circuit
User interface customization for aem6 circuitUser interface customization for aem6 circuit
User interface customization for aem6 circuitDamien Antipa
 
UI Customization in AEM 6.0
UI Customization in AEM 6.0UI Customization in AEM 6.0
UI Customization in AEM 6.0Gilles Knobloch
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android ApplicationsInfosys
 
Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Paolo Mottadelli
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon expressAeshan Wijetunge
 

Recommended

Accelerating Development with Organizational Opinions
Accelerating Development with Organizational OpinionsAccelerating Development with Organizational Opinions
Accelerating Development with Organizational OpinionsVMware Tanzu
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Using JavaScript to Build HTML5 Tools (Ian Maffett)
Using JavaScript to Build HTML5 Tools (Ian Maffett)Using JavaScript to Build HTML5 Tools (Ian Maffett)
Using JavaScript to Build HTML5 Tools (Ian Maffett)Future Insights
 
User interface customization for aem6 circuit
User interface customization for aem6 circuitUser interface customization for aem6 circuit
User interface customization for aem6 circuitDamien Antipa
 
UI Customization in AEM 6.0
UI Customization in AEM 6.0UI Customization in AEM 6.0
UI Customization in AEM 6.0Gilles Knobloch
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android ApplicationsInfosys
 
Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Paolo Mottadelli
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon expressAeshan Wijetunge
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Giacomo Bergami
 
User Interface customization for AEM 6
User Interface customization for AEM 6User Interface customization for AEM 6
User Interface customization for AEM 6Damien Antipa
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architectureOfer Rivlin, CISSP
 
S903 palla
S903 pallaS903 palla
S903 pallaAndrew Khoury
 
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing CloudIMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing CloudAdobeMarketingCloud
 
ICS usergroup dev day2014_application development für die ibm smartcloud for ...
ICS usergroup dev day2014_application development für die ibm smartcloud for ...ICS usergroup dev day2014_application development für die ibm smartcloud for ...
ICS usergroup dev day2014_application development für die ibm smartcloud for ...ICS User Group
 
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...IBM Connections Developers
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013Rupesh Kumar
 
AIR for Higher Education
AIR for Higher EducationAIR for Higher Education
AIR for Higher EducationJoseph Labrecque
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&SystemIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Mobile-Enabling Enterprise APIs: A Case Study with MasterCard
Mobile-Enabling Enterprise APIs: A Case Study with MasterCardMobile-Enabling Enterprise APIs: A Case Study with MasterCard
Mobile-Enabling Enterprise APIs: A Case Study with MasterCardAnyPresence
 
Começando com Android
Começando com AndroidComeçando com Android
Começando com AndroidDextra
 
IBM Impact session 1654-how to move an existing cics application to a smartphone
IBM Impact session 1654-how to move an existing cics application to a smartphoneIBM Impact session 1654-how to move an existing cics application to a smartphone
IBM Impact session 1654-how to move an existing cics application to a smartphonenick_garrod
 
Trends in front end engineering_handouts
Trends in front end engineering_handoutsTrends in front end engineering_handouts
Trends in front end engineering_handoutsAE - architects for business and ict
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Better Code: Concurrency
Better Code: ConcurrencyBetter Code: Concurrency
Better Code: ConcurrencyPlatonov Sergey
 
IBM Z for the Digital Enterprise - DevOps for Z
IBM Z for the Digital Enterprise - DevOps for Z IBM Z for the Digital Enterprise - DevOps for Z
IBM Z for the Digital Enterprise - DevOps for Z DevOps for Enterprise Systems
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 

More Related Content

Similar to CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Application Compatibility Framework by JON ERICKSON

Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Giacomo Bergami
 
User Interface customization for AEM 6
User Interface customization for AEM 6User Interface customization for AEM 6
User Interface customization for AEM 6Damien Antipa
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architectureOfer Rivlin, CISSP
 
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing CloudIMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing CloudAdobeMarketingCloud
 
ICS usergroup dev day2014_application development für die ibm smartcloud for ...
ICS usergroup dev day2014_application development für die ibm smartcloud for ...ICS usergroup dev day2014_application development für die ibm smartcloud for ...
ICS usergroup dev day2014_application development für die ibm smartcloud for ...ICS User Group
 
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...IBM Connections Developers
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013Rupesh Kumar
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Mobile-Enabling Enterprise APIs: A Case Study with MasterCard
Mobile-Enabling Enterprise APIs: A Case Study with MasterCardMobile-Enabling Enterprise APIs: A Case Study with MasterCard
Mobile-Enabling Enterprise APIs: A Case Study with MasterCardAnyPresence
 
Começando com Android
Começando com AndroidComeçando com Android
Começando com AndroidDextra
 
IBM Impact session 1654-how to move an existing cics application to a smartphone
IBM Impact session 1654-how to move an existing cics application to a smartphoneIBM Impact session 1654-how to move an existing cics application to a smartphone
IBM Impact session 1654-how to move an existing cics application to a smartphonenick_garrod
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Better Code: Concurrency
Better Code: ConcurrencyBetter Code: Concurrency
Better Code: ConcurrencyPlatonov Sergey
 

Similar to CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Application Compatibility Framework by JON ERICKSON (20)

Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
 
User Interface customization for AEM 6
User Interface customization for AEM 6User Interface customization for AEM 6
User Interface customization for AEM 6
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architecture
 
S903 palla
S903 pallaS903 palla
S903 palla
 
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing CloudIMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
 
ICS usergroup dev day2014_application development für die ibm smartcloud for ...
ICS usergroup dev day2014_application development für die ibm smartcloud for ...ICS usergroup dev day2014_application development für die ibm smartcloud for ...
ICS usergroup dev day2014_application development für die ibm smartcloud for ...
 
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...
IBM Connect 2014 - AD206: Build Apps Rapidly by Leveraging Services from IBM ...
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013
 
AIR for Higher Education
AIR for Higher EducationAIR for Higher Education
AIR for Higher Education
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&System
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Mobile-Enabling Enterprise APIs: A Case Study with MasterCard
Mobile-Enabling Enterprise APIs: A Case Study with MasterCardMobile-Enabling Enterprise APIs: A Case Study with MasterCard
Mobile-Enabling Enterprise APIs: A Case Study with MasterCard
 
Começando com Android
Começando com AndroidComeçando com Android
Começando com Android
 
IBM Impact session 1654-how to move an existing cics application to a smartphone
IBM Impact session 1654-how to move an existing cics application to a smartphoneIBM Impact session 1654-how to move an existing cics application to a smartphone
IBM Impact session 1654-how to move an existing cics application to a smartphone
 
Trends in front end engineering_handouts
Trends in front end engineering_handoutsTrends in front end engineering_handouts
Trends in front end engineering_handouts
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
Better Code: Concurrency
Better Code: ConcurrencyBetter Code: Concurrency
Better Code: Concurrency
 
IBM Z for the Digital Enterprise - DevOps for Z
IBM Z for the Digital Enterprise - DevOps for Z IBM Z for the Digital Enterprise - DevOps for Z
IBM Z for the Digital Enterprise - DevOps for Z
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Recently uploaded (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 

CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Application Compatibility Framework by JON ERICKSON

  • 1. The active use and exploitation of Microsoft's Application Compatibility Framework Jon Erickson
  • 2. Me !  Jon Erickson (@2130706433) !  Sr. Labs Engineer at iSIGHT Partners
  • 3. Not Me! !  I’m not that Jon Erickson ☺ Although I would be happy to sign your book.
  • 4. iSIGHT Partners !  Best commercial cyber intelligence provider on the planet. !  Highly Differentiated –  Forward looking, adversary focused intelligence, actionable advice –  Intelligence for multiple levels: executive, operational and technical –  Only vendor with true global intelligence collection presence Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     4   www.isightpartners.com
  • 5. Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
  • 6. Background Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     6  
  • 7. Why use Application Compatibility Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     7  
  • 8. Some Examples Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     8   http://en.dark-omen.org/downloads/view-details/5.-miscellaneous/vista-/-windows-7-crash-fix.html Fix’s Crash when alt-tab is pressed
  • 9. Some Examples Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     9   http://en.dark-omen.org/downloads/view-details/5.-miscellaneous/vista-/-windows-7-crash-fix.html Fix’s Crash when alt-tab is pressed
  • 10. Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
  • 11. Tools !  Application Compatibility Toolkit (Microsoft) !  Sdb2xml (Microsoft) !  cdd (Alex Ionesceu) !  sdbinst (Microsoft) !  sdb-explorer (Jon Erickson) Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     11  
  • 12. Application Compatibility Toolkit !  Used to create and view SDB files Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     12  
  • 13. sbd2xml !  Created by Heath Stewart (2007) !  Can dump patch_bits information !  Does not parse in-memory fix its. Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     13  
  • 14. Compatibility Database Dumper (CDD) Compatibility Database Dumper (CDD) v1.0 Copyright (C) 2007 Alex Ionescu http://www.alex-ionescu.com usage: cdd.exe [-s][-e][-l][-f][-p][-d kernel-mode database file][-a user- mode database file] -s Show shims -e Show executables -l Show layers -f Show flags -p Show patches -d Use Blocked Driver Database from this path -a Use Application Compatibility Database from this path Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     14  
  • 15. Installing SDB Files sdbinst [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" -? - print this help text. -p - Allow SDBs containing patches. -q - Quiet mode: prompts are auto-accepted. -u - Uninstall. -g {guid} - GUID of file (uninstall only). -n "name" - Internal name of file (uninstall only). Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     15   NOTE: Requires Administrator privilege
  • 16. Installing SDB Files !  Registry Locations –  HKLMSOFTWAREMicrosoftWindows NTCurrentVersion AppCompatFlagsCustom –  HKLMSOFTWAREMicrosoftWindows NTCurrentVersion AppCompatFlagsInstalledSDB !  Default File Locations –  C:WindowsAppPatchCustom –  C:WindowsAppPatchCustomCustom64 Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     16  
  • 17. Installing SDB Files sdb-explorer.exe -r filename.sdb [-a application.exe] –  Does NOT show up in Add remove programs –  Does NOT copy SDB to default location –  Requires Administrator privileges Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     17   Note regarding 64bit Patches: The path of the SDB file MUST contain Custom64
  • 18. Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
  • 19. Prior Work !  Alex Ionesceu –  Secrets of the Application Compatibility Database (SDB) !  Mark Baggett –  Windows – Own3d by Default !  Jon Erickson –  Persist-It – Using and Abusing Microsoft Fix It Patches !  Chris Graham –  Shimming Your Way Past UAC Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     19  
  • 20. Prior/ Related Work Secrets of the Application Compatibility Database (SDB) - Alex Ionesceu 1 ) Introduction 2 ) System Shims – The Most Interesting Ones 3 ) The Private Shim Engine Interface With The PE Loader 4 ) Built-in Shimmed Applications and Specific Shims – A Sample Never Released: 5 ) Tool 1 – CDD – Compatibility Database Dumper 6 ) Flag Shims – LUA and Installer Flags 7 ) The Run-Time In-Memory Patching Behavior and Analysis 8 ) The System Blocked Driver Database – The Kernel Side of SDB 9 ) Conclusion and Tool 2 Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     20  
  • 21. System Shims !  C:WindowsAppPatch !  sysmain.sdb drvmain.sdb msimain.sdb pcamain.sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     21  
  • 22. System Shims !  sdb-explorer –t sysmain.sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     22  
  • 23. System Shims !  %WINDIR%AppPatchen-USAcRes.dll.mui– has descriptions in its string table. !  60192, "Shim which intercepts the ShowWindow API call and fixes the problem due to tabbed browsing architecture changes in IE. The window an application finds is not the top level window any more, but the child tab window. Caught the ShowWindow API which checks if the class and process name of the window is IE's tab window. And then calls the real ShowWindow on the top level parent window." !  60193, "This compatibility fix fixes problems with any application that uses the Shrinker resource compression library. This library hacks resource functions in ntdll and kernel32 and redirect calls into their own function routines. But Ntdll code has different opcodes in Windows XP. The program failed to find the opcode signature and decided to cancel WriteProcessMemory call to write their redirection. Because of this, the necessary decompression of program code and resources were not executed and caused access violation. Shrinker compatibility fix resolves this by providing necessary opcode signature so the app could write those redirection into ntdll." Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     23  
  • 24. System Shims !  %WINDIR%AppPatchja-JPAcRes.dll.mui – has descriptions in its string table. !  60192, " ShowWindow API 呼び出しを途中で取得し、IE のタブ ブラウズ アーキテクチャ変更による問 題を修正する shim です。アプリケーションが検索するウィンドウは最上位ウィンドウではなく、子タブの ウィンドウになります。ウィンドウのクラスとプロセス名が IE のタブ ウィンドウであるかどうかを確認する ShowWindow API をキャッチしました。次に、最上位の親ウィンドウで実際の ShowWindow を呼び出し ます。.“ !  60193, "この互換性修正プログラムは、Shrinker リソース圧縮ライブラリを使用するアプリケーションの 問題を修正します。このライブラリは、ntdll と kernel32 のリソース関数をハッキングし、呼び出しをリソー ス関数の関数ルーチンにリダイレクトします。ただし、Windows XP では Ntdll コードに異なるオペコード があります。プログラムはオペコード署名の確認に失敗し、リダイレクトを書き込むための WriteProcessMemory 呼び出しの取り消しを決定しました。このため、プログラム コードとリソースの圧 縮解除が実行されず、アクセス違反が発生しました。Shrinker 互換性修正プログラムは、アプリケーショ ンがリダイレクトを ntdll に書き込めるように必要なオペコード署名を提供して、この問題を解決します。 Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     24  
  • 25. Prior Work !  Alex Ionesceu –  Secrets of the Application Compatibility Database (SDB) !  Mark Baggett –  Windows – Own3d by Default !  Jon Erickson –  Persist-It – Using and Abusing Microsoft Fix It Patches !  Chris Graham –  Shimming Your Way Past UAC Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     25  
  • 26. Prior/ Related Work !  Mark Baggett –  Windows - Owned By Default! (DerbyCon 2013) –  Process Execution Redirection –  API Hooking –  Hiding in the File System –  Hiding in the Registry –  Disable Security Features of the OS –  Execute Backdoors Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     26  
  • 27. InjectDll Details 2524a TAG 7004 - SHIM 25250 TAG 6001 - NAME: InjectDll 25256 TAG 600a - DLLFILE: AcGenral.DLL 2525c TAG 9010 - FIX_ID: {GUID} 25272 TAG 1002 - GENERAL 25274 TAG 4028 - DESCRIPTION_RC_ID: 60155 (0xeafb) !  AcGenral.dll !  NS_InjectDll::NotifyFn() !  LoadLibraryW() Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     27  
  • 28. RedirectEXE 26dbc TAG 7004 – SHIM 26dc2 TAG 6001 - NAME: RedirectEXE 26dc8 TAG 600a - DLLFILE: AcGenral.DLL 26dce TAG 9010 - FIX_ID: {GUID} 26de4 TAG 1002 - GENERAL 26de6 TAG 4028 - DESCRIPTION_RC_ID: 60176 (0xeb10) AcGenral.dll NS_RedirectEXE::NotifyFn() CreateProcessA() CloseHandle(hProcess) CloseHandle(hThread) ExitProcess() Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     28  
  • 29. Prior Work !  Alex Ionesceu –  Secrets of the Application Compatibility Database (SDB) !  Mark Baggett –  Windows – Own3d by Default !  Jon Erickson –  Persist-It – Using and Abusing Microsoft Fix It Patches !  Chris Graham –  Shimming Your Way Past UAC Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     29  
  • 30. Fix-It Patch Analysis !  How is this different from patches released on patch Tuesday? –  BinDiff mshtml.dll from MS13-097 vs. MS14-010 !  465 Different matched functions !  16 unmatched functions –  Fix It Patch for CVE-2013-3893 !  2 Changes Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     30  
  • 31. Preventing 0-Day Exploitation !  CVE-2014-4114/ CVE-2014-6352 (October/November 2014) –  OLE Packager Vulnerability !  CVE-2014-0322 (February 2014) –  IE Use After Free !  CVE-2013-3893 (September 2013) –  IE Memory Corruption !  CVE-2012-4792 (December 2012) –  IE Use After Free !  CVE-2012-1889 (June 2012) –  XML Core Services
  • 34. Sandworm CVE-2014-4114 Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     34   InfDefaultInstall.exe “EVIL.inf” Steps: • PowerPoint Loads packager.dll to handle Packager Object • Packager.dll copies evil.inf to Temp folder • PowerPoint Animation invokes packager.dll DoVerb command • DoVerb command performs “right click” context menu action for install. • Packager.dll launches InfDefaultInstall to handle “install” action.
  • 35. Sandworm CVE-2014-4114 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     35   InfDefaultInstall.exe “EVIL.inf” Steps: • PowerPoint Loads packager.dll to handle Packager Object • Packager.dll copies evil.inf to Temp folder - Mark file unsafe • PowerPoint Animation invokes packager.dll DoVerb command • DoVerb command performs “right click” context menu action for install. • Packager.dll launches InfDefaultInstall to handle “install” action. - Checks for unsafe flag - Prompts Users FIXED October 2014
  • 36. Sandworm CVE-2014-4114 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     36   InfDefaultInstall.exe “EVIL.inf”
  • 37. CVE-2014-6352 !  CVE-2014-4114 Bypasses Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     37   Google found in the wild Haifei Li found and notified Microsoft IDLE starts Executing special .py file
  • 38. CVE-2014-6352 !  CVE-2014-4114 Bypasses Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     38   Google found in the wild (Haifei Li found) IDLE starts And executes special .py file
  • 39. Sandworm Bypass Fix-It 1cae TAG 7007 - EXE 1cb4 TAG 6001 - NAME: POWERPNT.exe 1cba TAG 6006 - APP_NAME: POWERPNT.exe 1cc0 TAG 6005 - VENDOR: Microsoft 1cc6 TAG 9004 - EXE_ID: {D82187EB-A66D-4A6A-B6BA-0F5738B5D08E} 1cdc TAG 9011 - APP_ID: {F503FB56-18CF-4B58-80D0-02AC0D38D698} 1cf2 TAG 7008 - MATCHING_FILE 1cf8 TAG 6001 - NAME: * 1cfe TAG 6009 - COMPANY_NAME: Microsoft Corporation 1d04 TAG 7008 - MATCHING_FILE 1d0a TAG 6001 - NAME: %windir%System32packager.dll 1d10 TAG 5002 - BIN_FILE_VERSION: 6.1.7601.18601 1d1a TAG 400b - PE_CHECKSUM: 79169 (0x13541) 1d20 TAG 700a - PATCH_REF 1d26 TAG 6001 - NAME: ef1de1e8-f835-470d-819c-228118f7eb22 1d2c TAG 4005 - PATCH_TAGID: 972 (0x3cc) Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     39  
  • 40. Sandworm Bypass Fix-It !  Output from sdb-explorer Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     40  
  • 41. Sandworm Bypass Fix-It Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     41   With Fix It
  • 42. CVE-2014-6352 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     42   Steps: • PowerPoint Loads packager.dll to handle Packager Object. • Packager.dll copies evil.inf to Temp folder. - Mark file unsafe (from CVE-2014-4114 Fix). • PowerPoint Animation invokes packager.dll DoVerb command. • DoVerb command performs “right click” context menu action for edit. • Prompts User • Packager.dll launches IDLE to handle “Edit with IDLE” action. • IDLE Looks for python file with specific name and executes it. • Doesn’t care about unsafe flag. IDLE starts Executing evil2.py FIXED November 2014
  • 43. CVE-2014-6352 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     43   IDLE starts Executing evil2.py
  • 44. CVE-2014-6352 Fix Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     44   IDLE starts Executing evil2.py
  • 45. In-Memory Patches !  Application Compatibility Toolkit has no concept of in-memory patches Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     45  
  • 46. Analyzing CVE-2014-6253 Fix-It !  October 21st, 1 week after CVE-2014-4114 was patched. !  Targets: (sdb-explorer.exe -d CVE-2014-6352-32bit-Shim.sdb) %windir%System32packager.dll (6.0.6002.19192) Checksum = (0x1708a) %windir%System32packager.dll (6.0.6002.23496) Checksum = (0x1a612) %windir%System32packager.dll (6.1.7601.18601) Checksum = (0x13541) %windir%System32packager.dll (6.1.7601.22809) Checksum = (0x171ab) %windir%System32packager.dll (6.2.9200.17121) Checksum = (0x14f94) %windir%System32packager.dll (6.2.9200.21237) Checksum = (0x17675) %windir%System32packager.dll (6.3.9600.17341) Checksum = (0x173b6) %windir%SysWOW64packager.dll (6.0.6002.19192) Checksum = (0x1708a) %windir%SysWOW64packager.dll (6.0.6002.23496) Checksum = (0x1a612) %windir%SysWOW64packager.dll (6.1.7601.18601) Checksum = (0x13541) %windir%SysWOW64packager.dll (6.1.7601.22809) Checksum = (0x171ab) %windir%SysWOW64packager.dll (6.2.9200.17121) Checksum = (0x14f94) %windir%SysWOW64packager.dll (6.2.9200.21237) Checksum = (0x17675) %windir%SysWOW64packager.dll (6.3.9600.17341) Checksum = (0x173b6) Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     46  
  • 47. Analyzing CVE-2014-6253 (sdb-explorer) !  sdb-explorer.exe -t my.sdb !  Prints Tree View, similar to sdb2xml Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     47  
  • 48. Analyzing CVE-2014-6253 (sdb2xml) !  sdb2xml my.sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     48  
  • 49. Patch Details !  patch, patchbits, patchref, patch_tag_id, checksum Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     49  
  • 50. Patch Details Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     50   sdb-explorer.exe -p CVE-2014-6352-32bit-Shim.sdb 0x2ea
  • 51. IDAPython Script Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     51   sdb-explorer.exe -i -p CVE-2014-6352-32bit-Shim.sdb 0x2ea
  • 52. Persist-It !  sdb-explorer !  Explanation of in-memory patch file format. –  Lots of details !  Shows how to analyze fix-it patches !  Showed how to create your own in-memory patches. Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     52  
  • 53. Prior Work !  Alex Ionesceu –  Secrets of the Application Compatibility Database (SDB) !  Mark Baggett –  Windows – Own3d by Default !  Jon Erickson –  Persist-It – Using and Abusing Microsoft Fix It Patches !  Chris Graham –  Shimming Your Way Past UAC Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     53  
  • 54. Shimming Your Way Past UAC !  Windows signed files with “AutoElevate” permission. –  Example: SndVol.exe !  Uses RedirectEXE shim type. !  Steps: –  Create Shim for SndVol.exe that does RedirectEXE to evil.exe –  Register Shim –  Start SndVol.exe Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     54  
  • 55. Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
  • 56. EMET !  The Enhanced Mitigation Experience Toolkit !  DEP !  SEHOP !  Null Page !  Heap Spray Protection !  EAF !  Mandatory ASLR !  ROP Detection !  Attack Surface Reduction Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     56  
  • 57. EMET !  %WINDIR%AppPatchEMET.dll !  %WINDIR%AppPatchAppPatch64EMET.dll Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     57  
  • 58. EMET !  EMET Shim Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     58  
  • 59. Agenda !  What is Application Compatibility !  Tools !  Prior Work !  EMET !  Real World Example
  • 60. Real World Examples !  Search Protect !  BlackEnergy !  Win32/Farfli.BEK Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     60  
  • 61. Search Protect !  Potentially unwanted program (PUP) –  Adware !  Now using Application Compatibility to persist –  Uses InjectDll Shim –  Loads Search Protect library into browsers Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     61  
  • 62. BlackEnergy/Quedagh !  Recently targeting Ukrainian Government. !  Uses UAC Bypass. –  Same technique as Chris Graham !  Driver Signing Bypass –  Shim? –  To patch user32.dll-mui https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
  • 63. Win32/Farfli.BEK Persistence !  Anton Cherepanov – ESET Reported at ZeroNights 2014 Win32/Farfli.BEK drops following files: %WINDIR%AppPatchmsimain.mui – raw code %WINDIR%AppPatchAcProtect.dll Drops Shim DataBase & registers it: %WINDIR%AppPatchCustom%GUID%.sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     63  
  • 64. Win32/Farfli.BEK Persistence !  EMET-Style sdb Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     64  
  • 65. What Can You Do? !  Disable the Shim Engine –  I do NOT recommend this –  Breaks EMET –  Disables 0day Fix-Its !  GPEdit.msc –  Administrative Templates Windows Components Application Compatibility Turn off Application Compatibility Engine Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     65  
  • 66. Recommendations !  Search your registry and File System –  Your system will have SDB Files, there are defaults –  Use the knowledge you gained !  AutoRuns (SysInternals) does not consider Application Compatibility Fixes –  They are aware and are working on it ☺ !  Add signatures to SDB files (Microsoft) !  Notification of non-signed SDB files running, or about to run (Microsoft) Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     66  
  • 67. Summary !  Application Compatibility Toolkit is a new method attackers are using today. !  This is not a vulnerability !  This is a feature that attackers are abusing !  Defenders should start looking for this on the machines in their networks. !  SDB File requires Administrator privilege to install Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     67  
  • 68. References !  Baggett, M. (2013, February 23). 2013 Posts and Publications. Retrieved October 23, 2013, from In Depth Defense: http://www.indepthdefense.com/2013/02/2013-posts- and-publications.html !  Ionescu, A. (2007, May 20). Secrets of the Application Compatilibity Database (SDB) – Part 1. Retrieved September 5, 2013, from Alex Ionescu's Blog: http://www.alex- ionescu.com/?p=39 !  Ionescu, A. (2007, May 26). Secrets of the Application Compatilibity Database (SDB) – Part 3. Retrieved September 5, 2013, from Alex Ionescu’s Blog: http://www.alex- ionescu.com/?p=41 !  Mark Russinovich, B. C. (2013, August 1). Autoruns for Windows v11.70. Retrieved September 5, 2013, from Windows Sysinternals: http://technet.microsoft.com/en-us/ sysinternals/bb963902.aspx !  Microsoft. (2013, September 6). !chkimg. Retrieved October 2, 2013, from Dev Center: http://msdn.microsoft.com/en-us/library/windows/hardware/ff562217%28v=vs. 85%29.aspx !  Microsoft. (2013, October 1). Application Compatibility Database. Retrieved October 23, 2013, from Microsoft Developer Network: http://msdn.microsoft.com/library/ bb432182.aspx !  Microsoft. (2013). Fix it Solution Center. Retrieved 2013 24-October from Microsoft Support: http://support.microsoft.com/fixit/ !  Microsoft. (2012, October 1). Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution. Retrieved September 5, 2013, from Microsoft Support: http://support.microsoft.com/kb/2719615 !  Microsoft. (2012, December 7). Shim Database Types. Retrieved September 5, 2013, from Microsoft Developer Network: http://msdn.microsoft.com/en-us/library/ bb432483%28v=vs.85%29.aspx !  Sikka, N. (2013, September 17). CVE-2013-3893: Fix it workaround available. Retrieved October 02, 2013, from Security Research & Defense: http://blogs.technet.com/b/ srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx !  Stewart, H. (2007, November 3). Shim Database to XML. Retrieved September 5, 2013, from Setup & Install by Heath Stewart: http://blogs.msdn.com/b/heaths/archive/ 2007/11/02/sdb2xml.aspx !  http://blogs.msdn.com/b/maartenb/archive/2009/07/24/disabling-a-shim.aspx !  https://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx !  ddilabs.blogspot.com/2014/05/shimming-your-way-past-uac.html Proprietary  and  Confiden/al  Informa/on.  ©  Copyright  2014,  iSIGHT  Partners,  Inc.  All  Rights  Reserved          www.isightpartners.com     68  
  • 69. Thanks !  Kat, Josh, Sam, zen, Mac, Mike, Dave, Sean, Darel, Brad A., Matt G., Mark B., Chris G, Mark R., Microsoft, iSIGHT Partners, and all others who will remain nameless.
  • 70. Questions !  jerickson <@> isightpartners.com !  Source Code: –  https://github.com/evil-e/sdb-explorer