DEF CON Forum Site Header Art


No announcement yet.

Catch Me if You Can

  • Filter
  • Time
  • Show
Clear All
new posts

  • Catch Me if You Can

    The presentation will show, from a technical point of view, how to deploy backdoors to guarantee access to an organization. Initially, a brief review about types of persistance, locations where it can be deploy and common aspects to be taken into account will be carried out, to then go on to describe all the details that allow a Red Team to guarantee access to the entity without the organization being able to detect it or being able to expel the attacker before the attacker re-enters using another alternative persistence.
    The presentation will feature the following highlights:
    - General introduction to the concepts necessary to understand the details regarding the scenarios where it is necessary to deploy persistence in an organization (in real intrusion).
    - Reverse connection typology such as situations where there is direct access to the Internet, connection via proxy, proxy with authentication, DNS, …
    - Infrastructure and techniques for persistence deployment, indicating the type of servers and advanced techniques such as Domain fronting, IP laundry, ...
    - Traditional deployment of persistence on an organization both in existing systems in DMZ, internal servers, workstations, Cloud servers, Active Directory, …
    - Alternative persistence to guarantee unknown access through users with predictable credentials based on password history, Wireless backdoor on workstations (in both directions), extracting internal WiFi passwords, pivoting through resource reconstruction, periodic tasks to modify AD setting, monthly Outlook rules configured and upload interna GAL table of users, visual information extraction using screen and others.
    - Anti-forensic techniques for the deployment of persistence, to avoid the identification of these by the Security team.
    - Types of behavior to act and techniques when the security team detects a persistence, allowing access to the entity to be recovered before having lost access to company.
    The combined use of the exposed techniques and actions, as will be shown in the presentation, means that the security team does not have the ability to expel the Red Team in any case, allowing the intrusion to be carried out with greater freedom.
    The presentation is the result of experience in developing deep Red Team exercises on the main organizations in Spain (IBEX35), as well as large banking and industrial entities in Europe and America for more than 6 years.
    After the presentation, an Open Source tool will be published to help in the development of the persistence deployment.

    Speaker(s): Eduardo Arriols

    Location: Red Team Vlg


    Event starts: 2020-08-08 07:15 (07:15 AM) PDT (UTC -07:00)

    Event ends: 2020-08-08 08:15 (08:15 AM) PDT (UTC -07:00)

    For the most up-to-date information, please either visit, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-07-29T01:26 (UTC).
    August 8, 2020 07:15
    August 8, 2020 08:15
    Red Team Vlg