More than Free Schwag

GoSecure's Open Source Contributions to Malware Analysis, Code Hardening and RDP Snooping

Olivier Bilodeau, <obilodeau@gosecure.net>

Agenda

Our Vision
Malware Analysis with Malboxes
Code Hardening with Find Security Bugs
RDP Snooping with PyRDP
Future Work

$ whoami

Cybersecurity Research Director
Reverse-Engineering and Tools Enthusiast
International Speaker
- DefCon, BlackHat, RSAC, DerbyCon, 44CON, etc.
Co-founder Montrehack (hands-on security workshops)
VP Training and Hacker Jeopardy at NorthSec

gosecure nsec

The Vision

Two Types of Products and Services

Polished

Easy to Use
Paid For
Supported
Proven

Rough

DIY
Free, Adaptable
You Are on Your Own
Proof of Concept

Making Malware Analysis More Accessible

Problems in Malware Analysis

Malware analysis is not accessible to newcomers
Easy to mess things up (get infected)
Building an environment with all the tools installed takes time
Team work is hard (tools don’t encourage it)

Inspired by DevOps

Core Principle: Infrastructure as Code
Reproducible
Throw-away
Efficient

Architecture

          FRONT-END           BACK-END
      +---------------+   +---------------+     +-------------------+
      |               |   |               +---> |  Autounattend.xml |
      |               +-> |  packer       |     +-------------------+
      |               |   |               +-+
      |               |   +---------------+ |   +--------------------+
      |  malboxes.py  |                     +-> |                    |
      |               |   +---------------+     |          PowerShell|
      |               |   |               |     |   WinRM  winrmcp   |
      |               +-> |  vagrant      +---> |          Shell     |
      |               |   |               |     |          Chocolatey|
      +---------------+   +---------------+     +--------------------+

                          +------------------------------------------+
                          |                                          |
                          | VirtualBox / vSphere (ESXi) / KVM / AWS* |
                          |                                          |
                          +------------------------------------------+
*: NEW!

New Feature: Deploy to AWS

Background

Reducing Risks

The Process

Demo

Find Security Bugs in a Nutshell

Detectors built around the SpotBugs engine with a focus on security issues
Open-source
OWASP project since 2019
131 bug patterns
Works great with Java, Kotlin and JSP

How Does It Work?

Types of Vulnerabilities

SQL/HQL Injection
Command Injection
Cryptographic Weaknesses
Cross-Site Scripting
Path Traversal

Template Injection
Hard-Coded Password
Insecure Configuration
XML External Entity
Predictable Random Number Generator

Integrated in IDEs

and in Continous Integration (CI)

and in Continous Integration (CI)

Integrations

Many free and open-source options

SonarQube (with Sonar-FindBugs)
Jenkins (with Warnings-NG)

Integrated in many commercial solutions

Gitlab
CodeDX

jenkins sonarqube

PyRDP Is

Remote Desktop Protocol MITM
Active Clipboard Stealer
PowerShell / cmd Injection on Login
Take Control of the Remote Session
Client-Side File Browsing

Latest Features

On Autopilot!

NLA Downgrade Attack
Heuristic-based Credential Harvester
Integration with Bettercap
Active File Crawler / Downloader

Future Work

Malboxes

Honeypots
Config Rework

Find-Security-Bugs

More Detectors
More OWASP Visibility

PyRDP

Support GDI+ Passthrough
Honeypots

Pointers

Thanks to All External Contributors!

Hugo Genesse, Gregory Leblanc, @snakems, @pix, Camille Moncelier, @xambroz, @malwarenights, Mathieu Tarral, Maxime Carbonneau, Etienne Lacroix, Emilio Gonzalez, Francis Labelle, Humoud, Ondrej Gersl, @tothi, François Labrèche, Sanket Shah

Questions?

Our Blog | Our GitHub
Corporate @GoSecure_Inc
Personal @obilodeau
Email: obilodeau@gosecure.net
Send me malware samples!