DC9723 February 2018 Meeting

DC9723 February 2018 Meeting
When: 27 of February, 2018 from 18:45 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.)

Agenda:

Brief Introduction
No Win32_Process Needed: Expanding the WMI Lateral Movement Arsenal – Phillip Tsukerman
Get Rich or Die Trying – Mark Lechtik, Or Eshed

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title:
No Win32_Process Needed: Expanding the WMI Lateral Movement Arsenal – Phillip Tsukerman

Abstract:

For quite some time now, WMI has resided in the main roster of techniques used by threat actors to perform lateral movement between endpoints. Despite the vast scope of classes and methods available through WMI, attackers moving laterally seem to rely almost exclusively on the “Create” method of the “Win32_Process” class , diving further into the depths of the WMI model only to perform reconnaissance and establish persistence.

This talk will exhibit various never-before-seen techniques for authenticated (file-based and fileless) remote execution, using only pure-WMI methods, along with stealthier enhancements of known techniques, all of which subvert many host and network-based methods of detection without using the notorious Win32_Process class.

The talk will also describe the strengths and weaknesses and provide detection methods for every technique described.

Title:
Get Rich or Die Trying – Mark Lechtik, Or Eshed

Abstract:

In a World where oil is scarce and people click mail attachments they really shouldn’t, One Man sets out on an epic journey for glory, conquest, and other people’s money. So begins the amazing tale of the “Oil bot” campaign: a tale of a single man who ran a sting operation on a good share of the industrial sector, armed with nothing but his supply of off-the-shelf RATs, his very subpar OPSEC standards, and his Nigerian hutzpah. The talk will follow the entire course of Check Point’s investigation into this affair – from the few emails that didn’t add up, through the campaign’s not-so-intricate C&C infrastructure, to the point where we were inside the campaign, looking at all the incredulous details. How do you scam people into scamming other people? What leads a fraudster to leave a trail of incriminating footprints?

And what does a Nigerian scammer want with an energy company, anyway? One thing’s for sure: In this brave new world, the Nigerian prince is no longer happily calling to inform you that you should transfer your money to them; it is you who is angrily calling your bulk provider, asking where all your money went.