SpeedTalk Pentera - The LOLBAS Odyssey: Tracing the Path of Finding Hidden Gems in Executables

ROOTCON Hacking Conference
2 Oct 202421:54

Summary

TLDRThis video discusses innovative techniques in binary analysis and reverse engineering, with a focus on scalable static analysis and dynamic vulnerability identification. The speaker highlights the use of tools like Binary Ninja, automated functions via ChatGPT, and advanced analysis for both red and blue team security efforts. The approach extends beyond common Microsoft binaries, advocating for the dynamic analysis of custom or lesser-known executables. The goal is to enhance vulnerability detection and attack vector identification, using automation and dynamic research for more adaptable and effective security strategies.

Takeaways

  • ๐Ÿ˜€ Binary Ninja offers a headless library that allows for automation without needing the UI, making it a powerful tool for reverse engineering.
  • ๐Ÿ˜€ The team is developing a process that uses ChatGPT to iterate and understand functions, enhancing the reverse engineering workflow.
  • ๐Ÿ˜€ Static analysis, especially with tools like Binary Ninja, is highly scalable and can be run in parallel to analyze multiple executables simultaneously.
  • ๐Ÿ˜€ The goal is for both blue and red teamers to identify new and unknown low-level vulnerabilities in software by using these techniques.
  • ๐Ÿ˜€ Dynamic analysis can help identify new executables and functions on systems, even those that are custom or less commonly used, not just standard OS-based ones.
  • ๐Ÿ˜€ The use of reverse engineering libraries such as Capstone and Radar allows for more flexible and dynamic analysis of both known and unknown software.
  • ๐Ÿ˜€ Custom software, even if not commonly used, can be targeted for reverse engineering and vulnerability research, as hackers are not constrained by official software lists.
  • ๐Ÿ˜€ Building your own tools and uploading them to a system to perform dynamic analysis on the fly can uncover previously unidentified vulnerabilities.
  • ๐Ÿ˜€ The team is still in the process of developing these techniques, but early results show promising potential for uncovering new threats.
  • ๐Ÿ˜€ The process is not limited to software approved by major companies like Microsoft; any software that provides similar functionality can be analyzed for security flaws.

Q & A

  • What is the main concept discussed in the presentation?

    -The main concept discussed is 'Low-Bass' (Living Off the Land Binaries and Scripts), which refers to using existing binaries and tools already present on a compromised system to perform attacks, bypassing traditional detection mechanisms.

  • What was the initial challenge the team faced when analyzing executables on Windows systems?

    -The initial challenge was the sheer number of executables on Windows systemsโ€”over 3,000โ€”which made manually testing each one to identify potential attack tools highly inefficient and time-consuming.

  • How did the team address the challenge of analyzing a large number of executables?

    -The team addressed the challenge by automating the process with Python scripts and process monitoring, allowing them to test executables dynamically and scale their research effectively.

  • What is the role of static and dynamic analysis in the research process?

    -Static analysis involves reverse-engineering the executables to identify useful functions, while dynamic analysis monitors the system in real-time to detect behaviors such as downloading or executing payloads. Both methods are used in tandem to improve the detection and automation of low-bass techniques.

  • How does process monitoring assist in identifying attacks or malicious behavior?

    -Process monitoring helps track the relationship between parent and child processes, which allows the team to identify when a downloaded executable is actually running, signaling successful execution of an attack or malicious payload.

  • What is the significance of using AI tools like ChatGPT in static analysis?

    -AI tools like ChatGPT are explored for assisting in the reverse-engineering and static analysis process, potentially speeding up the identification of function calls and making it easier to automate the understanding of executables.

  • What type of executables were primarily focused on during the research?

    -The research primarily focused on Microsoft-signed or native operating system binaries that are commonly present on Windows machines, as these are more likely to be available for use in low-bass attacks.

  • What future improvements does the team anticipate for their research on low-bass techniques?

    -The team anticipates using dynamic analysis to identify not only known executables but also custom or less common executables that may be introduced to a system, improving the ability to detect new attack vectors in real time.

  • How does the automation of the analysis process benefit both red and blue teams?

    -For red teams (penetration testers), automation allows for faster identification of potential attack vectors, while for blue teams (defenders), it enables scalable monitoring to detect and defend against low-bass techniques more effectively.

  • Why is it important for security researchers to understand and defend against low-bass techniques?

    -It is important because attackers often use low-bass techniques to avoid detection, relying on tools that are already present on the system. Understanding these techniques helps defenders to spot and mitigate attacks before they can cause significant damage.

Outlines

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Mindmap

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Keywords

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Highlights

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Transcripts

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now
Rate This
โ˜…
โ˜…
โ˜…
โ˜…
โ˜…

5.0 / 5 (0 votes)

Related Tags
Binary AnalysisVulnerability DetectionRed TeamingBlue TeamingSecurity ToolsAutomationReverse EngineeringDynamic AnalysisCybersecurityExecutable AnalysisChatGPT Integration