DEF CON Forum Site Header Art

Announcement

Collapse
No announcement yet.

Shutter Demolab at DEF CON 29

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Shutter Demolab at DEF CON 29

    Tool or Project Name: Shutter

    Short Abstract:
    The goal of Shutter is to manage windows network stack communication via Windows Filtering Platform. Management can include blocking or permitting traffic based on IP or an executable that initiates or receives the traffic.

    This is useful to blackhole event logging, defensive agent communication, or explicitly permit specific executables to communicate if they have been previously restricted by policy.

    Shutter installs rules in a memory running session without touching the windows firewall itself or invocation of `netsh` command, thereby minimizing detection during long haul RT operations.

    As a generic mechanism for managing network traffic it can help operators in:
    • punching through firewalls without shutting them down
    • not creating persistent rules
    • evading reporting on `netsh` invocation
    • blackholing EDRs and activity supervising agents.
    • studying existing security providers, active filters and network endpoints involved in network communication
    Short Developer Bio:
    I support initiatives in offensive testing for my team by writing code where needed.

    Interests include network-based command and controls, data exfiltration mechanisms, evasion.

    URL to any additional information: https://github.com/dsnezhkov/shutter

    Detailed Explanation of Tool: Please see https://github.com/dsnezhkov/shutter...main/README.md

    Supporting Files, Code, etc: https://github.com/dsnezhkov/shutter

    Target Audience: Offense

    Offensive teams can use the tool to better simulate attacks that involve WFP.
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A
Working...
X