Leaderboard

Echipa de security de la UiPath are 3 pentesteri. Toti sunt membri RST cu vechime. Daca inca sunt persoane care considera ca RST e o adunatura de copii, acesta e doar un exemplu. Multi au pornit de aici. Nu toti mai sunt activi, dar noi, cativa, vom fi mereu aici. RST nu moare!

In certain investigations, it may arise that you need to find the following: What process was using the camera or microphone? When was the last session? How long was that session? Using the contents of the following reg keys, you can to determine when and how long a process had access to privacy protected resources. These resources include the microphone, webcam, bluetooth, location, contacts and more. For this blog, I will focus on the microphone and webcam as an example. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\ Below is an example of the typical entries in the webcam directory. There are several entries including Microsoft and non-Microsoft applications Microsoft applications are stored in as child keys but non-Microsoft applications (which are of the most interest) are stored in the NonPackaged child key. Within the NonPackaged directory, you can see that the name of the keys are the full path of an executable with # replacing \. Each entry has two values, LastUsedTimeStart and LastUsedTimeStop, with the timestamps in FILETIME format. From the example above, you are able to determine, Zoom.exe had access to my webcam for 27.2 minutes (between 2020/06/01 04:30:52 UTC and 2020/06/01 04:58:04 UTC). Whether you are looking at what processes had access to a webcam or even trying to prove long a user’s conversation may have been, this is a great source of information. Testing RAT-like behaviour I needed to test if this also applied to more malicious methods of accessing the microphone. I used a meterpreter post-exploit module to record audio from Windows VM. As soon as I ran the recording command, a new entry was populated from where my meterpreter shell was executed. Pretty cool! Monitoring If we wanted to track all sessions (not just the last), it is easy with Sysmon. If you are running something like the Swift on Security configuration, you will need to add an inclusion line for event id 12,13 and 14 (Registry modification): <TargetObject condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\</TargetObject> <!-- When a process accesses bluetooth, location, webcam, microphone etc, the timestamps of last access are updated here. HKLM and HCKU --> After updating your configuration, a Sysmon event will now be created when the registry keys are created or updated. Below is the LastUsedTime key being updated for Skype.exe accessing my microphone in the Sysmon event log. The timestamp in the log are still in hex which needs to be coverted to decimal then to a human readable timestamp, however the timestamp of the event itself is also very accurate. Conclusion What spurred this off is when I came across this page in the settings, and it got me thinking on where this data is stored. It will be interesting if there are other places that track historical sessions without the use of monitoring. This would be more valuable to forensic analysts that don’t always have nice logs. Further research also could be done to identify which device the process is accessing (front camera, USB camera etc). I would also like to explore if this method catches more covert RAT malware. Thanks for reading, Source Zach

Salut, Suntem in cautarea unui coleg in echipa de security. Cautam pe cineva senior, care sa stie foarte bine web security, dar si altele (e.g. Windows, networking, cloud). Mai exact, o persoana care sa stie lucruri avansate despre exploatarea unor vulnerabilitati, tips & tricks, bypass-uri si sa nu o deranjeze sa faca pentest cu ajutorul codului sursa - deci code review. Puteti aplica aici: https://www.linkedin.com/jobs/view/1699417011/ Sau imi puteti trimite mesaj privat. Astept de asemenea orice intrebare legata de pozitie. Mersi, // Nytro

As fi interesat de memoria RAM. Iti trimit mesaj

Sunt sanse mai mari sa te calce un bmw condus de un tigan fara ocupatie, scoala si cu permis luat pe naspa. Infractorii oricum au arme. Si nu cu proiectile de cauciuc. @unic, welcome. Sa-ti cumperi macar un Fort 17R. In rest, pe piata sunt doar pocnitori.