Using policy delay to gain RCE and to execute Ransomware

BSidesBCN21 - Day 1 - Park Güell Track Using policy delay to gain RCE and to execute Ransomware to infection victim machine (Filipi Pires) The purpose of this presentation, it’s to execute several efficiency and detection tests in our endpoint solution, bringing the result of the defensive security analysis with an offensive mindset performed in the execution of some techniques, regarding the test performed, the first objective it was to simulate targeted attacks using invasive techniques such as Dll Injection using Payload created by msfvenom based on Metasploit platform, and using a PowerView, that is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality, It also implements various useful metafunctions, including some custom-written user-hunting functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. Several functions for the enumeration and abuse of domain trusts also exist. See function descriptions for appropriate usage and available options. For detailed output of underlying functionality, pass the -Verbose or -Debug flags. As a Second test the idea it was to use Shell Injection using payloads created by via msfvenom based on PowerView as well using the same strategic to the firsts test, this cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. And as a Third test we used a tool that can perform DLL injection using a tool known as Remote DLL Injector from SecurityXploded team which is using the CreateRemoteThread technique and it has the ability to inject DLL into ASLR enabled processes. The process ID and the path of the DLL are the two parameters that the tool needs using Payload created by msfvenom. And the fourth test was to download a Ransomware directly on the victim’s machine using powerschell scrito and execute itself exploring the policy delay and finally the last test consisted in running the stress test using a script python script with daily malwares, provide by MalwaresBazaar by request using API access, and the some moment perform the powershell to download a Ransomware directly on the victim’s machine About Filipi Pires I’ve been working Principal Security Engineer at Talkdesk, Security Researcher at senhasegura…I’m Hacking is NOT a crime Advocate and Red Team Village Contributor. I’m part of the Staff team of DEFCON Group São Paulo-Brazil, International Speakers in Security and New technologies events in many countries such as US, Canada, Germany, Poland and others, I’ve been served as University Professor in Graduation and MBA courses at brazilian colleges, in addition, I’m Creator and Instructor of the Course Malware Attack Types with Kill Chain Methodology (PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).