BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: Malware design - abusing legacy Microsoft transports
  and\n   session architecture\n   When: Friday\, Aug 11\, 16:30 - 17:15 PD
 T\n   Where: Caesars Forum - Academy - 407-410 - Track 4 - [1]Map\n\n   Sp
 eakerBio:R.J. "BeetleChunks" McDown \, Principal Red Teamer\n   R.J. McDow
 n (BeetleChunks) is a computer scientist who has made a\n   career out of 
 hacking into numerous fortune 500 companies through\n   consulting red tea
 m engagements and penetration tests. R.J. is an avid\n   Python and C/C++ 
 developer who has created custom tools for bypassing\n   leading EDR solut
 ions and OS based monitoring\, including a tool\n   released at DerbyCon 7
  called RedSails. Every now and then R.J. turns\n   his focus to developin
 g fuzzing harnesses\, which has led to the\n   discovery of critical zero-
 day vulnerabilities in popular applications\n   including Microsoft Outloo
 k (CVE-2019-1199) and ManageEngine OpManager\n   (CVE-2020-12116).\n   Twi
 tter: [2]@BeetleChunks\n\n   Description:\n   The future isnтАЩt certain\,
  nor is the continued access to our\n   compromised endpoints. At some poi
 nt\, every red team operator faces\n   the gut-wrenching event of losing c
 ommand and control (C2) access.\n   This often occurs when post exploitati
 on activity is detected and\n   associated to the C2 process and channel. 
 Further link analysis may\n   lead to the discovery of other compromised e
 ndpoints\, secondary C2\,\n   and compromised credentials. Needless to say
 \, a single mistake can\n   cause a huge disruption in access and even lea
 d to the detriment of\n   the entire engagement.\n\n   This talk will pres
 ent and demonstrate the methodologies and\n   techniques built into Obliga
 to\, a covert implant tasking and\n   communications framework\, designed 
 with the primary objectives of\n   breaking process chaining events\, disa
 ssociating network communication\n   from the implant\, providing a means 
 for maintaining or regaining\n   access\, and evading dynamic analysis.\n\
 n   Technical information will be explained and demonstrated at both high\
 n   and low levels\, so prior knowledge is not required. However\, to get\
 n   the most out of the talk\, attendees are encouraged to have a basic\n 
   understanding of general Windows architecture\, networking\, and\n   pro
 gramming concepts.\n\n   REFERENCES:\n   [1] Pyle\, Ned. тАЬThe Beginning 
 of the End of Remote Mailslots.тАЭ\n   Tech Community\, Microsoft\, 8 Mar.
  2023\, [3]https://techcommunity.microsoft.com/t5/storage-at-microsoft/the
 -beginning-of-the-end-of-remote-mailslots/ba-p/3762048.\n\n   [2] Corporat
 ion\, Microsoft. тАЬ[MS-Mail]: Remote Mailslot Protocol.тАЭ\n   [MS-MAIL]\
 , Microsoft\, 25 June 2021\, [4]https://winprotocoldoc.blob.core.windows.n
 et/productionwindowsarchives/MS-MAIL/[MS-MAIL].pdf.\n\n   [3] Aggarwal\, A
 vnish. тАЬPROTOCOL STANDARD FOR A NetBIOS SERVICE.тАЭ\n   IETF\, RFC Edito
 r\, Mar. 1987\, [5]https://datatracker.ietf.org/doc/html/rfc1001.\n\n   [4
 ] ATT&CK\, MITRE. тАЬEnterprise Techniques.тАЭ Techniques -\n   Enterprise
  \, MITRE ATT&CK\, MITRE ATTCK\, 25 Oct. 2022\, [6]https://attack.mitre.or
 g/techniques/enterprise/.\n\n   [5] Yosifovich\, Author Pavel. тАЬParent P
 rocess vs. Creator\n   Process.тАЭ Pavel Yosifovich\, 10 Jan. 2021\, [7]ht
 tps://scorpiosoftware.net/2021/01/10/parent-process-vs-creator-process/.\n
 \n   [6] Schwarz\, Roland. тАЬThread Local Storage - the C++ WAY.тАЭ\n   C
 odeProject\, CodeProject\, 28 Aug. 2004\, [8]https://www.codeproject.com/A
 rticles/8113/Thread-Local-Storage-The-C-Way.\n\n   [7] The Chromium Author
 s. тАЬChromium/thread_local_storage_win.Cc at\n   Main ╖ Chromium/Chromium
 .тАЭ GitHub\, The Chromium Project\, Jan. 2012\,\n   [9]https://github.com
 /chromium/chromium/blob/main/base/threading/thread_local_storage_win.cc.\n
 \n   [8] timb3r. тАЬHow to Find Hidden Threads - Threadhidefromdebugger -\
 n   Antidebug Trick.тАЭ How to Find Hidden Threads -\n   ThreadHideFromDeb
 ugger - AntiDebug Trick\, Guided Hacking\, 27 Dec.\n   2019\, [10]https://
 guidedhacking.com/threads/how-to-find-hidden-threads-threadhidefromdebugge
 r-antidebug-trick.14281/.\n\n   [9] Chappell\, Geoff. тАЬTHREADINFOCLASS.т
 АЭ Threadinfoclass\, Jan.\n   1997\, [11]https://www.geoffchappell.com/stu
 dies/windows/km/ntoskrnl/api/ps/psquery/class.htm.\n\n   [10] GrantMeStren
 gth. тАЬGetMailslotInfo Function (Winbase.h) - win32\n   Apps.тАЭ Win32 Ap
 ps \, Microsoft Learn\, 10 Oct. 2021\, [12]https://learn.microsoft.com/en-
 us/windows/win32/api/winbase/nf-winbase-getmailslotinfo.\n\n   [11] Alvina
 shcraft. тАЬImpersonation Tokens - win32 Apps.тАЭ Win32\n   Apps \, Micros
 oft Learn\, 1 July 2021\, [13]https://learn.microsoft.com/en-us/windows/wi
 n32/secauthz/impersonation-tokens.\n\n   [12] GrantMeStrength. тАЬCreatePr
 ocessWithTokenW Function (Winbase.h)\n   - win32 Apps.тАЭ Win32 Apps \, Mi
 crosoft Learn\, 2 Jan. 2023\, [14]https://learn.microsoft.com/en-us/window
 s/win32/api/winbase/nf-winbase-createprocesswithtokenw.\n\n   [13] QuinnRa
 dich. тАЬWTSQUERYUSERTOKEN Function (WTSAPI32.H) - win32\n   Apps.тАЭ Win3
 2 Apps \, Microsoft Learn\, 10 Dec. 2021\, [15]https://learn.microsoft.com
 /en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsqueryusertoken.\n\n   [14
 ] Karl-Bridge-Microsoft. тАЬPEB (Winternl.h) - win32 Apps.тАЭ PEB\n   (Win
 ternl.h) - Win32 Apps \, Microsoft Learn\, 31 Aug. 2022\, [16]https://lear
 n.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb.\n\n   [1
 5] Yosifovich\, Pavel. Windows 10 System Programming Part 1.\n   Independe
 ntly Published.\n\n   [16] Yosifovich\, Pavel. Windows 10 System Programmi
 ng Part 2.\n   Independently Published.\n\n   '\n\n   1. #CaesarsAcademyBR
 \n   2. https://twitter.com/BeetleChunks\n   3. https://techcommunity.micr
 osoft.com/t5/storage-at-microsoft/the-beginning-of-the-end-of-remote-mails
 lots/ba-p/3762048.\n   4. https://winprotocoldoc.blob.core.windows.net/pro
 ductionwindowsarchives/MS-MAIL/\n   5. https://datatracker.ietf.org/doc/ht
 ml/rfc1001.\n   6. https://attack.mitre.org/techniques/enterprise/.\n   7.
  https://scorpiosoftware.net/2021/01/10/parent-process-vs-creator-process/
 .\n   8. https://www.codeproject.com/Articles/8113/Thread-Local-Storage-Th
 e-C-Way.\n   9. https://github.com/chromium/chromium/blob/main/base/thread
 ing/thread_local_storage_win.cc.\n   10. https://guidedhacking.com/threads
 /how-to-find-hidden-threads-threadhidefromdebugger-antidebug-trick.14281/.
 \n   11. https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ps/
 psquery/class.htm.\n   12. https://learn.microsoft.com/en-us/windows/win32
 /api/winbase/nf-winbase-getmailslotinfo.\n   13. https://learn.microsoft.c
 om/en-us/windows/win32/secauthz/impersonation-tokens.\n   14. https://lear
 n.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswi
 thtokenw.\n   15. https://learn.microsoft.com/en-us/windows/win32/api/wtsa
 pi32/nf-wtsapi32-wtsqueryusertoken.\n   16. https://learn.microsoft.com/en
 -us/windows/win32/api/winternl/ns-winternl-peb.\n\n\n
DTEND:20230812T001500Z
DTSTART:20230811T233000Z
LOCATION:DC - Caesars Forum - Academy - 407-410 - Track 4
SUMMARY:Malware design - abusing legacy Microsoft transports and session ar
 chitecture
END:VEVENT
END:VCALENDAR