00:00:00.033-->00:00:05.105
>> Uh, I guess there is no goon
introducing us. So, we will have
to do everything ourselves -

00:00:05.105-->00:00:10.110
alright so, so I'm Dennis a lot
of you guys know me. Yay for
Houston! [cheering] And, uhm.. A

00:00:14.114-->00:00:17.885
lot of you know me from my
previous talk - I talked about
access control systems. So, this

00:00:17.885-->00:00:22.923
is going to be my second time,
uh, speaking I, I work for LARES
Consulting, I'm an adversarial

00:00:22.923-->00:00:27.828
engineer my best, my most
favorite title yet. Uhm, I am
also, since I'm from Houston I'm

00:00:27.828-->00:00:31.865
a founder of Houston lock sport
or lock-picking club, uh, and
you Houston Area Hackers

00:00:31.865-->00:00:36.737
Anonymous just a bunch of us
hanging out drinking beers and
doing micro talks in Houston.

00:00:36.737-->00:00:42.809
So, ooooooh what have we got
here? >> Lavations for your
talk. >> AH, thank you so much!

00:00:42.809-->00:00:47.814
[cheering] Round of applause for
Kyle. [applause] Ooh, that's
good. >> Alright, and so I'm

00:00:50.250-->00:00:55.188
Tim, I'm a red team manager for
LARES which means, uhm, I don't
want to call Dennis an employee

00:00:55.188-->00:00:59.092
but but more of a team lead,
consultant, uh, that sort of
thing. This is my 10th year as a

00:00:59.092-->00:01:03.563
DefCon goon so I'm eligible for
retirement now which is always
fun. [cheering] Yea, woo. I am

00:01:03.563-->00:01:08.201
also a former CCDC Team coach
for a group of college students
through CCDC, I don't know who

00:01:08.201-->00:01:13.407
of you are familiar with that
program. I see you guys in the
back. And, uh.. awesome. And I'm

00:01:13.407-->00:01:17.411
also former CTF participant for
DefCon, I did that for 2 years
in a row; I also ran the

00:01:17.411-->00:01:19.813
wireless contest for a couple of
years. So, I've kind of been
around, I have been done a

00:01:19.813-->00:01:24.251
little bit of everything this is
also my 2nd DefCon talk. So,
what we're gonna talk about is

00:01:24.251-->00:01:27.721
sticky keys. If ever, if I say
sticky keys does everybody in
here know what we're talking

00:01:27.721-->00:01:33.694
about? [muttering] That's how
you get into your computer,
exactly right! [laughter] So if

00:01:33.694-->00:01:37.564
you Google for how to reset
Windows passwords, like, 8 of
the top 10 links are on Google

00:01:37.564-->00:01:42.569
are, uhm, pages that tell you
"Reboot off of your rescue CD;
go and copy cmd.exe; overset

00:01:44.938-->00:01:51.812
cmd.exe; reboot; at the login
prompt press shift 5 times; use
net user; change your password;

00:01:51.812-->00:01:56.383
close the window; login and you
are done". There's only one or
two of those sites that actually

00:01:56.383-->00:01:59.920
says "Clean up after yourself
when you are done" so there's
are a lot of boxes out there

00:01:59.920-->00:02:06.493
still have cmd replaced or cmd
replacing chc and these boxes
are kind of just ripe for the

00:02:06.493-->00:02:10.130
picking. So it was used as a
persistent mechanism like there
is a Carnal 0wnage blog on it

00:02:10.130-->00:02:14.134
there several different places
that tell you how to do this.
Uhm, and with this though, so

00:02:14.134-->00:02:17.671
there's no event logs that are
generated when we actually
execute this backdoor. So, there

00:02:17.671-->00:02:21.241
is no trace that you press shift
5 times and you get a command
prompt because of it's

00:02:21.241-->00:02:27.014
pre-authentication. So, there's
two ways that you can go about
backdooring and the and one of

00:02:27.014-->00:02:30.817
them is the binary replacement -
actually replacing any of the
pre-authentication accessibility

00:02:30.817-->00:02:35.822
tools with cmd or you can set
the image file execution option
"registry debugger key" to be

00:02:38.558-->00:02:43.463
cmd.exe and so whenever you, uh,
access any of the accessibility
tools from within Windows you

00:02:43.463-->00:02:47.934
get a command prompt, uh,
running as system
pre-authentication. So here's a

00:02:47.934-->00:02:51.338
list of the accessibility tools
available pre-authentication
you've got the binary on the

00:02:51.338-->00:02:55.175
left the description of what the
tool actually does in the middle
and on the right you've got how

00:02:55.175-->00:02:58.445
you actually access that and so
and so that's gonna come im..
important later when we actually

00:02:58.445-->00:03:04.418
start talking about the tool.
But, Microsoft does have some
limitations on what binaries you

00:03:04.418-->00:03:09.589
can replace any of the
accessibility tools with. So,
uhm, the first limitation is you

00:03:09.589-->00:03:12.759
have to have elevated access on
the box; you're gonna have to
have administrator system to

00:03:12.759-->00:03:17.631
begin with. So we're not
actually exploiting the box and
we're not actually, uhm, placing

00:03:17.631-->00:03:20.600
a backdoor - we're just taking
advantage of a backdoor that
somebody else has already put on

00:03:20.600-->00:03:25.138
the box. The binary must be
digitally signed this is
Microsoft restriction for that;

00:03:25.138-->00:03:29.509
the binary must exist in system
32 and it must be on the Windows
protected file list. And, so, if

00:03:29.509-->00:03:32.612
you've ever ran system file
checker and it gets back and
says "Hey, look these binaries

00:03:32.612-->00:03:35.782
have been replaced or there's
something wrong with them" and
it fixes them, that's a Windows

00:03:35.782-->00:03:40.720
protected file list. And you can
get a list of those from, uhm,
Microsoft's website. But, so you

00:03:40.720-->00:03:45.258
can't just use any old binary -
you have to use something that
meets those criteria and cmd.exe

00:03:45.258-->00:03:50.330
meets all three of those
criteria. And so we were working
with a incident response team in

00:03:50.330-->00:03:55.235
an organization and they had
uncovered via the file system
side of things several boxes

00:03:55.235-->00:03:59.539
that had, uh, this persistence
mechanism put in place. And so
it was more than likely a

00:03:59.539-->00:04:03.477
systems administrator, could
have been a rogue admin, could
have been some APT group that

00:04:03.477-->00:04:07.581
was in the environment - don't
know how they are actually got
there but, uhm, we wanted

00:04:07.581-->00:04:11.952
something to where we could scan
for this from the networks side.
So, uhm, we started l... uhm,

00:04:11.952-->00:04:15.956
well let me back up a little
bit. The problem with looking
for binaries that have been

00:04:15.956-->00:04:19.226
replaced on the disc is you
don't actually catch the image
file execution option unless

00:04:19.226-->00:04:22.963
you're sweeping your registry as
well. You're going to miss on
any unmanaged boxes so, boxes

00:04:22.963-->00:04:27.167
that the group does not have
administrative access on, you're
going to miss any, uh, any boxes

00:04:27.167-->00:04:30.704
that don't have administrative
privileges. Uhm, and so we had a
need for a network based

00:04:30.704-->00:04:36.643
scanner. We started looking into
writing our own using Java rtp
or looking at Python and had a

00:04:36.643-->00:04:42.282
bunch of problems and had just a
hate for Java that we couldn't
get over. [laughter] So, we run

00:04:42.282-->00:04:46.653
across Zach Grace's proof of
concept scrip, script Sticky
Keys Hunter. Uhm, Sticky Keys

00:04:46.653-->00:04:52.726
Hunter was a great starting
point for us. It gave us a, uhm,
a, a decent framework for how we

00:04:52.726-->00:04:56.763
kind of wanted to implement our
script but his script was
similar to the Peeping Tom

00:04:56.763-->00:05:00.133
program. If any of you are
pentesters and you have seen
Peeping Tom, its scrapes a bunch

00:05:00.133-->00:05:03.970
of websites and will take a
bunch of screenshots of them and
then just give you a page where

00:05:03.970-->00:05:06.840
you can just scroll through
looking at them. And so if you
'e talking about a large

00:05:06.840-->00:05:12.812
organization with any way from
100 to 100000 end-points that's
a lot of screenshots just to

00:05:12.812-->00:05:17.584
scroll through looking for a
command prompt. So we wanted to
a way to automate some of that

00:05:17.584-->00:05:23.557
for us. And so, uhm, Zach's
script also in the to-do's had
an automatic command prompt

00:05:23.557-->00:05:25.992
detection and then
multithreading to make the
script faster. It made took

00:05:25.992-->00:05:30.997
about 25 to 30 seconds per host
and we did some optimizations on
that. >> Alright so we started

00:05:33.400-->00:05:38.438
with the Sticky Keys Hunter
script that we, you know, Tim
talked about and we went through

00:05:38.438-->00:05:43.009
it. Just, we wanted to help
improve it and kind of help
complete it's to-do items point

00:05:43.009-->00:05:48.014
and what ended up happening was
I, I spent way too much time on
it. Just seeing things that I

00:05:50.150-->00:05:55.222
wanted to do differently and so
we ended up more than double the
lines of code what it, what it

00:05:55.222-->00:05:59.693
originally was and we
implemented a, a lot of
performance improvements, uh,

00:05:59.693-->00:06:04.397
some error handling to help
with, you know, when, if hosts
go down or whatever. Uh, lots of

00:06:04.397-->00:06:09.369
detailed logging to help with
reporting, uh, and as well as it
is now parallelized so you, it

00:06:09.369-->00:06:13.506
will scan more than one host at
a time and that dramatically
improves the amount of time it

00:06:13.506-->00:06:18.545
takes to scan a list, a range of
hosts or IPs. And it also
automatically alerts on command

00:06:18.545-->00:06:22.882
prompts, uh, on hosts it thinks
it actually found a command
prompt on. And so you don't have

00:06:22.882-->00:06:26.886
to scroll through thousands and
thousands of uh, uh,
screenshots. Uh, and of course

00:06:26.886-->00:06:31.958
it's in batch so it's tailored
towards Linux we've program this
on Kali Linux, uh, uh, all the

00:06:31.958-->00:06:38.064
tools you will need is available
for Kali, so, uhm, that's our
scripts. Let me demo this for

00:06:38.064-->00:06:43.470
you - I'm gonna start, I'm gonna
start by demoing what Tim talked
about what's, what the... what

00:06:43.470-->00:06:47.907
the, what the sticky keys
vulnerability is. So, I'm going
to remote desktop into, uh, a

00:06:47.907-->00:06:51.878
computer and just show you what
happens is you're gonna see a
Windows login prompt and we are

00:06:51.878-->00:06:55.415
not going to put in any
credentials. We are just going
to be presented with that login

00:06:55.415-->00:07:00.353
prompt. Uh, and this, this, uh,
computer is vulnerable to the
sticky key backdoor so all we do

00:07:02.656-->00:07:07.894
is press shift 5 times. I'm
gonna do this. [key pressed]
There you go, and now you see we

00:07:07.894-->00:07:13.867
have a command prompt and
because this is spawning from
when logged on the exe, you can

00:07:13.867-->00:07:19.339
see who am I? We are system the
highest level access you can get
on that computer. And so that's

00:07:19.339-->00:07:23.910
just, that's just a method of
persistence of backdoor that lot
of people do, and, uh, so our

00:07:23.910-->00:07:28.581
script... Let's go back to the
PowerPoint here - our script
automates searching for that,

00:07:28.581-->00:07:33.186
automates actually scanning for
that vulnerability. Uh, you'll
see here - let's press play

00:07:33.186-->00:07:38.258
carefully. Does that, does that
work? Okay, so it's going,
you'll see its name banana.sh,

00:07:38.258-->00:07:43.096
when we recorded this I had no
idea what to name it so Tim and
I settled on banana, but uh, now

00:07:43.096-->00:07:47.233
it's "Sticky Keys Slayer". So,
uhm... [laughter] But you can
see that I've, I told it do 8

00:07:47.233-->00:07:50.503
threads at a time, it's doing a
host of like 20-something hosts
- uh, lists of 20-something

00:07:50.503-->00:07:54.841
hosts. And it's going through
each one; it's establishing a
connection to it; it's taking a

00:07:54.841-->00:07:58.378
screenshot; hitting shift 5
times as well as other keyboard
shortcuts; taking another

00:07:58.378-->00:08:02.482
screenshot and then comparing
the amount of black pixels that
are on the screen and it will

00:08:02.482-->00:08:06.286
alert "Okay, well I've found a
lot of black pixels it's within
this range of this percentage

00:08:06.286-->00:08:09.889
and this percentage. I think you
have a command prompt." Once
it's done you can see the

00:08:09.889-->00:08:15.061
logging there; I hope the text
is not too small. Uh, you can...
can look through the screenshots

00:08:15.061-->00:08:18.665
and you see the screen shots of
all the hosts that don't have a
command prompt and in that

00:08:18.665-->00:08:22.936
discovered folder that I'm going
to click on in a second you'll
see all the hosts actually has a

00:08:22.936-->00:08:27.674
command prompt you can use and
you can see them in there. Uh,
there's one of them. So... to

00:08:27.674-->00:08:32.545
reiterate there's a, there's a
Sticky Key Slayer that's is the
real name specify "-jh" for the

00:08:32.545-->00:08:38.385
number of jobs. Demo host is
just a list of targets line by
line and then you get the

00:08:38.385-->00:08:42.422
screenshots for all the
computers, uh, and in the
discovery folder there's the

00:08:42.422-->00:08:45.558
ones that actually have the
command prompt point and there
it is. And, those are computers

00:08:45.558-->00:08:50.063
that we have full system level
remote code execution on without
any work using someone else's

00:08:50.063-->00:08:55.735
backdoor. >> So, free money. >>
So, free, money. So, uh, tool
usage so that, that, I mean,

00:08:55.735-->00:09:00.774
that's the tool that's the jist
of it it's like 360 lines of
code but that's all it does.

00:09:00.774-->00:09:05.779
Uhm, stick, uh, sticky keys,
excuse me, tool usage Sticky Key
Slayer.sh. So, there's uhm, uh,

00:09:08.047-->00:09:13.353
a few parameters that you can
choose. You can do "-v" for
verbose it does, does output,

00:09:13.353-->00:09:16.656
uh, some information to you but
you can make it more verbose if
you maybe wanna, maybe

00:09:16.656-->00:09:21.661
something's wrong or you just
want more information. Uh, you
can specify the number of jobs,

00:09:21.661-->00:09:26.332
uh, it defaults one job at a
time but you can give it as much
as you want, uh, as much as your

00:09:26.332-->00:09:30.703
CPU can handle. Don't try a
thousand because it WILL crash.
[laughter] But I've had, I've

00:09:30.703-->00:09:36.443
had success on a Kali vm running
on a MacBook Pro about 24, uh,
and that will scan about 22000

00:09:36.443-->00:09:41.848
hosts in about 3 hours. So
that's pretty good. Uh, timeout
you guys are familiar with the

00:09:41.848-->00:09:46.219
term timeout - it will try a
certain job for a certain a
certain amount of time before it

00:09:46.219-->00:09:50.256
just errors out. You can specify
the timeout it defaults to 30
seconds and then target list you

00:09:50.256-->00:09:56.162
can give it a single target an
IP or a host or a s.. or a fqdn
or you can give it a lists of

00:09:56.162-->00:10:01.801
hosts. And that that's the money
right there you can give it a
list of 20000 hosts let it run;

00:10:01.801-->00:10:06.105
go home; come back and get all
of these, get hundreds of
thou... sorry get 20000

00:10:06.105-->00:10:12.011
screenshots, uh, when you come
back. So some limitations to the
tool it dies tie up with a

00:10:12.011-->00:10:17.050
computer you're using, as you
can see it was popping up a
bunch of remote desktop windows.

00:10:17.050-->00:10:21.154
Uh, so it's kind of hard to use
it, when you're, you're, uh,
it's hard to use a computer when

00:10:21.154-->00:10:27.227
you're using the script so have
a vm dedicated just to that for,
for that time. Uhm, and, uh, as

00:10:27.227-->00:10:32.232
well as we, when Tim and I were
doing some scans on some other
IP addresses... >> With their

00:10:34.734-->00:10:39.739
permission >> Uhm... >> Wink. >>
Uh, we find the majority of
them, majority of the back door

00:10:42.442-->00:10:47.480
were cmd.exe, however the were a
few that were something else
like task manager or .mmc, or

00:10:47.480-->00:10:52.252
something, you know, custom. And
our script, of course doesn't
detect those because it's

00:10:52.252-->00:10:57.657
looking for a certain amount of
black pixels. Uh, so, uh, maybe
in the future where Tim and I

00:10:57.657-->00:11:02.028
are kind of working on how we're
going to engineer that,
engineer, like, detecting an..

00:11:02.028-->00:11:08.334
any anom... any anomalous
behavior not just cmd. Uhm,
statistics... >> Alright, so,

00:11:08.334-->00:11:12.338
uhm, based on Dennis and I's
assessments and then based on
some assessments from some other

00:11:12.338-->00:11:15.575
friends and some other things,
we've probably scanned about
half a million boxes. Uhm, we've

00:11:15.575-->00:11:18.211
turned these over to some large
organizations for internal
scanning and there's a pretty

00:11:18.211-->00:11:21.447
decent success rate internally
for some of the box... some of
the environments that we were

00:11:21.447-->00:11:25.818
in. But we decided to turn
around and look at a large
business-class ISP, I went to

00:11:25.818-->00:11:31.791
Showden did a search for
business ISP and then, uh, port
3389 got a list of boxes that

00:11:31.791-->00:11:35.395
were exposed... that we're
exposing RTP to the internet and
there were about a hundred

00:11:35.395-->00:11:40.233
thousand or so, roughly, in that
list. Uhm, we had 570 system
shells by the time the scan was

00:11:40.233-->00:11:46.005
done - it took about 6 or 8
hours to scan that large of an
IP space. So that was one out of

00:11:46.005-->00:11:50.343
ever... of the one, the real
statistic was, like, one out
every 173 boxes; 1 out of every

00:11:50.343-->00:11:54.714
175 makes a great round number
for it. But, that was far more
boxes than we thought were

00:11:54.714-->00:11:59.018
actually going to be vulnerable
to a backdoor that's been around
for years. I mean, our, our

00:11:59.018-->00:12:03.056
first step into this was "This
is going to be stupid, nobody's
ever going to do this".

00:12:03.056-->00:12:07.560
[laughter] And it turns out this
is happening all over the place.
So by looking at the domain

00:12:07.560-->00:12:10.530
names and the login screen
there's educational
institutions, there's law

00:12:10.530-->00:12:14.500
offices, manufacturing
facilities, hospitals... Uhm,
pretty much any vertical that

00:12:14.500-->00:12:20.239
you can think of have free
system shells on their boxes.
So, if you step into an

00:12:20.239-->00:12:23.710
assessment or an environment, if
you're doing an ex.. an external
test and they have rtp enabled -

00:12:23.710-->00:12:27.981
hey, take a shot, it may work!
If you're internal that's even
better you may find one or two

00:12:27.981-->00:12:31.484
servers, and those one or two
servers you've got a system
shell on that you can run meme

00:12:31.484-->00:12:36.489
cats or go from there with
absolutely no login. [pause] >>
By the way, that's 570+ shells

00:12:39.392-->00:12:45.098
we got, like, with no work
required, how is that not worth
a round of applause? [cheering]

00:12:45.098-->00:12:50.103
Now, alright, now we're gonna
talk about what matters most,
right? The recommendations, the

00:12:55.942-->00:13:00.213
remediation, the prevention,
detection. So we have a lot of,
we've worked a lot on, on, on

00:13:00.213-->00:13:05.685
the remediation side of this. So
we came up with uh, uh, a few
techniques, a few, uh, just,

00:13:05.685-->00:13:10.757
just ways, so, to help mitigate
this, so, uh, if you do find,
uh, one of these, uh, one of the

00:13:10.757-->00:13:14.827
boxes in your environment are
vulnerable to this backdoor
there are a few things you can

00:13:14.827-->00:13:20.133
do. You can delete the
executable - if there's, if, if
cmd was replaced by sethc.exe or

00:13:20.133-->00:13:25.171
anyone of those other, uh,
accessibility tools you can just
simply delete 'em. They're not

00:13:25.171-->00:13:30.877
totally necessary to make your
computer function, uh, and, your
computer will eventually in an

00:13:30.877-->00:13:35.548
update or when it does an
integrity check it'll, it'll
replace those files back to rtp.

00:13:35.548-->00:13:40.520
Uhm, if you don't wanna delete
'em you can force an integrity
check - you can use "sfc.exe"

00:13:40.520-->00:13:44.857
which is system file checker
that's built into Windows and
what that'll do, that will, uh,

00:13:44.857-->00:13:49.796
scan all the Windows protected
files in which, all of these are
Windows protected files, and

00:13:49.796-->00:13:54.467
it'll check "Are these the files
that they're supposed to be?" -
if not, it'll replace them back

00:13:54.467-->00:13:59.138
to what they're supposed to be.
So you can run sfc scan now and
you can specify to do the, all,

00:13:59.138-->00:14:04.711
your entire drive or specific
files. Uhm, if, if this was done
through the registry method

00:14:04.711-->00:14:09.615
using the debugger to make it
run, uh, you can simply delete
that registry key, that key does

00:14:09.615-->00:14:14.954
not need to be there. Uh, delete
the whole key for sethc.exe or
u.. utilman or whatever.

00:14:14.954-->00:14:19.692
[audience noise] Uhm, and one
thing I like, to, to, to inform
people is that I, I really feel

00:14:19.692-->00:14:24.564
that they should treat this as
an indicator of compromise. If
they find, if you guys find this

00:14:24.564-->00:14:28.735
backdoor in your environment
it's going to be one of two
things: someone's subverted

00:14:28.735-->00:14:34.841
processes, uh, and put this
backdoor in for whatever reason,
maybe it's, maybe it's just a

00:14:34.841-->00:14:38.044
simple reason - they wanted to
get in, in case something goes
wrong or maybe it, they wanted

00:14:38.044-->00:14:43.549
to get in when they got fired.
Uhm, so there's that and then
there's also, if, if it's not

00:14:43.549-->00:14:48.955
that reason it's an indicator of
compromise. Maybe there's uh, an
intrusion in your network

00:14:48.955-->00:14:54.494
previously, some malware or APT
as they call it, or some threat
actor... [laughter] Oh great,

00:14:54.494-->00:14:58.931
someone laughed at APT. I
laughed too, every time.
[laughter] Uh, someone, someone

00:14:58.931-->00:15:02.902
did this, uh, thi... this, this
is a known method of
persistence. I mean, this is my

00:15:02.902-->00:15:08.107
top method, when I go to CCDC, I
played against that guy over
there... [laughter] We... we, I

00:15:08.107-->00:15:13.279
mean, we wrecked them with just
cmd.exe backdoor because, you
know, they took a snapshot of

00:15:13.279-->00:15:17.750
their vm's before - you know,
after we already put and
implement it in their backdoor

00:15:17.750-->00:15:22.588
so we were able to get in every
time. So treat this as a
indicator of compromise - cause

00:15:22.588-->00:15:27.760
it's serious, it doesn't just
happen. Uhm, now going into the
protection/ detection phase.

00:15:27.760-->00:15:31.330
Okay, the simple protection -
simple ways to protecting
instances is restrict local

00:15:31.330-->00:15:36.068
admin, of course. You need to be
local admin to replace these
files so restricting that is

00:15:36.068-->00:15:40.740
important, it, it, it helps
resolve a lot of issues as well
as this. Full disk encryption -

00:15:40.740-->00:15:42.742
that'll help prevent if someone
were to steal a laptop and get
content, access the content of

00:15:42.742-->00:15:44.744
the hard drive and replace the
files that way. Uh, full disk
encryption will help protect

00:15:44.744-->00:15:46.746
against that. Uhm, my favorite,
uh, method of pro... it doesn't
really protect against it, it

00:15:46.746-->00:15:48.748
protects against the
exploitation of it - is
network-level authentication for

00:15:48.748-->00:15:50.750
remote desktop. Uh,
network-level authentication,
uh, if, when that's enabled, it

00:15:50.750-->00:15:52.752
requires valid credentials
before a console is ever
presented to the user. So our

00:15:52.752-->00:15:57.757
script wouldn't work unless we
had valid credentials. So
enabling NLA, uh, across your

00:16:12.972-->00:16:17.977
entire environment is a valid
protection against exploitation
of this - against remote

00:16:23.249-->00:16:27.086
exploitation. Uh, end-point
monitoring, we've seen a lot of
success with end-point

00:16:27.086-->00:16:31.557
monitoring, you can, uh, monitor
a few things, one of them being
monitor when the file is being

00:16:31.557-->00:16:35.528
replaced. Uh, if the file is
something that it's not supposed
to be alert on that, you can

00:16:35.528-->00:16:42.368
also alert on if cmd ever spawns
from the win logon process, as a
child of the win logon process,

00:16:42.368-->00:16:46.339
that's not normal. I mean, in
my, in my experience it's
usually, it's usually not normal

00:16:46.339-->00:16:51.944
so you can flag on that as well.
Uhm and then net flow analysis -
simply look at: Are there hosts?

00:16:51.944-->00:16:56.349
Is there one host or a few hosts
in the environment that are just
spraying rtp port through 3389

00:16:56.349-->00:17:02.755
everywhere? If so, maybe you
should look in that. So, oh, by
the way, Tim made this for me,

00:17:02.755-->00:17:08.728
it's great, this is a, what do
you call it? The... the, what do
you call it? >> Conquest: the

00:17:08.728-->00:17:12.765
ears of your enemies. >> The
ears of my enemy. [cheering] The
rumor has it these are all the

00:17:12.765-->00:17:17.336
shift keys that we've broken
over time from exploiting them.
So we just took them off and Tim

00:17:17.336-->00:17:22.341
made them into a necklace so I'm
gonna wear it. Uhm... [applause]
>> So a little treat for you

00:17:27.613-->00:17:32.518
guys... the code is.. has been
released as of an hour ago so
it's on my GitHub - Sticky Q...

00:17:32.518-->00:17:36.689
excuse me [laughter] Sticky Keys
Slayer. What are you laughing
at? [laughter] Sticky Key

00:17:36.689-->00:17:42.128
Slayer. Uhm, it's, it's up
there, it's, uh, uhm, there,
I've put a lot of documentation

00:17:42.128-->00:17:46.299
there hopefully it's easy to
read and easy to use. I
recommend if you guys work for a

00:17:46.299-->00:17:50.536
big company or a small company,
download it, look at the code so
you know I'm not doing anything

00:17:50.536-->00:17:55.207
malicious. Uh... [laughter]
Don't just download any code and
run it, but uh, uh... I mean,

00:17:55.207-->00:17:59.645
you can if you want. I don't
care. [laughter] Uh, uhm, run
this in your environment, uh,

00:17:59.645-->00:18:03.182
and, and just see, you know,
you'll be surprised how many
you'll see out there. We,

00:18:03.182-->00:18:07.653
ther... there hasn't been any
environment yet that we've
scanned and haven't at least

00:18:07.653-->00:18:12.858
found one. So, try it, you know,
look into it and see what you
can get, uhm, uh, so yea. My

00:18:12.858-->00:18:16.896
code's on GitHub, I, I encourage
you guys to contribute to it or
at least report any issues you

00:18:16.896-->00:18:21.400
see cause I always like to make
my stuff work for everyone. So,
report issues, send us feedback,

00:18:21.400-->00:18:24.470
whatever you want. Slides are
also online, demo videos are
online if you care about it.

00:18:24.470-->00:18:29.475
Uhm, that's, uh, that's pretty
much it. Questions? [applause]
>> So, we're, uhm, we've, we've

00:18:35.915-->00:18:41.988
also got a weaponized version in
the works that you can just say
"Execute this code as soon as

00:18:41.988-->00:18:46.058
you've found a command prompt"
so you just set it and forget
and watch the shells rain in, so

00:18:46.058-->00:18:51.797
that's uh... [laughter] >> I
call it "RainingShells.sh".
[laughter] Question... question

00:18:51.797-->00:18:57.136
over there. [audience member
asking question] >> Can you pass
the mic on? >> Oh, you.. We'll

00:18:57.136-->00:19:02.274
repeat the question.. >> Yea,
yea. [audience member asking
question] >> Okay.. >> Uh,

00:19:02.274-->00:19:05.845
alright... >> Oh, yea, that's a
good idea. Okay, we'll do that,
okay. Questions go up here, so

00:19:05.845-->00:19:09.015
we have three minutes for
questions and then.. >> You the
a loud-mouth in the back? >> Yea

00:19:09.015-->00:19:14.020
I'm sure you have questions.
Uhm, okay, go ahead. >> So...
[audience noise] >> Is it on?

00:19:19.525-->00:19:23.763
[audience noise] Just tell me,
I'll repeat it. >> "Alright, so
if you use black pixels to

00:19:23.763-->00:19:28.868
determine if you've got a
command prompt, uh, what did you
do to account for the different

00:19:28.868-->00:19:34.073
operating systems? For example
Windows XP has a pure black
background and other other

00:19:34.073-->00:19:38.277
operating systems might use dark
backgrounds." >> Ah, so it's the
difference between the uh, uh,

00:19:38.277-->00:19:42.715
whatever we make an initial rtp
connection, we take a screenshot
and when we make, uh, uhm,

00:19:42.715-->00:19:45.951
actually see all the
accessibility options we take a
difference.. We take a second

00:19:45.951-->00:19:49.155
screenshot and it's the
difference between the two. It's
not just looking for black

00:19:49.155-->00:19:52.358
pixels, it's looking for the
different, uhm, uh, the
difference between them. So if

00:19:52.358-->00:19:57.997
you look at like Dell has their
default Windows, uh, install,
has the front end of the Dell

00:19:57.997-->00:20:02.001
bezel on it, it's got a lot of
black in it. Whenever you
actually pop a sticky key shell

00:20:02.001-->00:20:05.671
on it, it, uh, it, it there's
more black on the screen than
there was before and so we're

00:20:05.671-->00:20:08.707
just looking for the difference.
It's really simple, it's
rudimentary.. uhm, there's been

00:20:08.707-->00:20:12.378
some work out there, and, like,
open cv, tried to do a
screenshot - detection show up

00:20:12.378-->00:20:17.750
for it. Uh, we looked into
OCR-ing the screen but we found
a lot of boxes in non-native

00:20:17.750-->00:20:23.189
English and I don't know how to
do OCR recognition in English in
non-English charac, uh,

00:20:23.189-->00:20:28.060
character sets, so... The, about
half a million IP addresses that
we've scanned with it from us

00:20:28.060-->00:20:33.532
and then other people's
engagements, uh, it's gradient
is like 99.96 percent, uh,

00:20:33.532-->00:20:36.769
effective in detecting the
screenshot every time. There
were a couple of false

00:20:36.769-->00:20:41.040
positives, but those false
positives were due to broken
consoles where like the top two

00:20:41.040-->00:20:44.043
thirds of the screen was the
console; the bottom third of the
screen would just be black.

00:20:46.112-->00:20:52.017
[chatter] >> Thank you. Woohoo.
[audience member asking
question] Uh, yea, I mean, so,

00:20:52.017-->00:20:57.690
to parallelize this we do use,
uh, "GNU Parallel", did I say
that right? GNU parallel? We use

00:20:57.690-->00:21:03.729
a tool GNU parallel and just
allows, uh, the script to spawn
itself in multiple processes and

00:21:03.729-->00:21:09.969
just run really, really fast, so
it's really cool looking said
tool. >> Question. >> Uhm, uhm

00:21:09.969-->00:21:15.574
do you have a list of all of the
other ones that work? Cause you
said there were other ones...

00:21:15.574-->00:21:20.579
But, you only talked about shc.
>> There you go. >> Aha! Thank
you. >> Okay, so yea, that's

00:21:24.750-->00:21:31.123
it... [laughter] So, just to
reiterate, this is not... Shift
5 times is only one of the, uh,

00:21:31.123-->00:21:36.729
1, 2, 3, 4, 5, 6, 7, 7
executables that will work with
this. Uh, shift, Window key, U

00:21:36.729-->00:21:41.133
will open "utilman"; uh,
onscreen keyboard; there's, uh,
there's no keyboard shortcut for

00:21:41.133-->00:21:44.803
that but there's an option for
that... Uhm, and.. >>
[indistinct] >> So, they're

00:21:44.803-->00:21:48.774
saying... we have one more
minute. Question, one more
minute. >> Yes sure, so if you

00:21:48.774-->00:21:52.244
can programmatically scan and
detect these things and you can
programmatically send keys, you

00:21:52.244-->00:21:56.749
can also in theory
programmatically add an option
to remove the backdoor.. >> Yes!

00:21:56.749-->00:22:00.352
[chatter] >> Or, add "- - evil"
and add your own implant and
then remove that backdoor. >>

00:22:00.352-->00:22:04.623
So, so my goal as a troll, if
you just downloaded our cold,
our code and ran it and said

00:22:04.623-->00:22:09.995
"Hey go ahead and just do this"
is to run the shc/scan now is
the actual , uhm, weaponized

00:22:09.995-->00:22:14.166
code. And then drop us something
in the log file and say "Hey,
uhm, there, this box had this

00:22:14.166-->00:22:17.903
backdoor enabled on it, but
sorry you just cleaned it,
thanks!". Read the code next

00:22:17.903-->00:22:21.774
time. >> Thank you guys so much.
Questions, will, will be out
there and we'll slowly move to

00:22:21.774-->00:22:24.476
the bar. Thank you guys so much
for coming!