DEF CON Forum Site Header Art
DEF CON Forum Site Header Art


No announcement yet.

Shutter Demolab at DEF CON 29

  • Filter
  • Time
  • Show
Clear All
new posts

  • Shutter Demolab at DEF CON 29

    Tool or Project Name: Shutter

    Short Abstract:
    The goal of Shutter is to manage windows network stack communication via Windows Filtering Platform. Management can include blocking or permitting traffic based on IP or an executable that initiates or receives the traffic.

    This is useful to blackhole event logging, defensive agent communication, or explicitly permit specific executables to communicate if they have been previously restricted by policy.

    Shutter installs rules in a memory running session without touching the windows firewall itself or invocation of `netsh` command, thereby minimizing detection during long haul RT operations.

    As a generic mechanism for managing network traffic it can help operators in:
    • punching through firewalls without shutting them down
    • not creating persistent rules
    • evading reporting on `netsh` invocation
    • blackholing EDRs and activity supervising agents.
    • studying existing security providers, active filters and network endpoints involved in network communication
    Short Developer Bio:
    I support initiatives in offensive testing for my team by writing code where needed.

    Interests include network-based command and controls, data exfiltration mechanisms, evasion.

    URL to any additional information:

    Detailed Explanation of Tool: Please see

    Supporting Files, Code, etc:

    Target Audience: Offense

    Offensive teams can use the tool to better simulate attacks that involve WFP.
    PGP Key: