Thursday, July 27, 2017 2 years ago Las Vegas, USA

We are delighted to announce that William Knowles and Ruben Boonen will be presenting at DEF CON 25 this year.

Event Description 

Started in 1992 by the Dark Tangent, DEF CON is the world's longest running and largest underground hacking conference. DEF CON is generally in the last week of July or first week of August in Las Vegas. DEF CON 25 will be held July 27-30, 2017, at Caesars Palace in Las Vegas.

Talk presented by MWR

  • Date: Saturday, July 29, 2017
  • Time: 10:00:00
  • Room: 101 Track
  • Topic: Persisting with Microsoft Office: Abusing Extensibility Options
  • Speakers: William Knowles
  • Description: One software product that red teamers will almost certainly find on any compromised workstation is Microsoft Office. This talk will discuss the ways that native functionality within Office can be abused to obtain persistence. The following opportunities for Office-based persistence will be discussed:

    (1) WLL and XLL add-ins for Word and Excel - a legacy add-in that allows arbitrary DLL loading.
    (2) VBA add-ins for Excel and PowerPoint - an alternative to backdoored template files, which executes whenever the applications load.
    (3) COM add-ins for all Office products - an older cross-application add-in that leverages COM objects.
    (4) Automation add-ins for Excel - user defined functions that allow command execution through spreadsheet formulae.
    (5) VBA editor (VBE) add-ins for all VBA using Office products - executing commands when someone tries to catch you using VBA to execute commands.
    (6) VSTO add-ins for all Office products - the newer cross-application add-in that leverages a special Visual Studio runtime.

    Each persistence mechanism will be discussed in terms of its relative advantages and disadvantages for red teamers. In particular, with regards to their complexity to deploy, privilege requirements, and applicability to Virtual Desktop Infrastructure (VDI) environments which hinder the use of many traditional persistence mechanisms.

    The talk isn't all red - there's also some blue to satisfy the threat hunters and incident responders amongst us. The talk will finish with approaches to detection and prevention of these persistence mechanisms.

Workshop presented by MWR

  • Date: Saturday, July 29, 2017

  • Time: 10:30:00
  • Room: Octavius 4
  • Topic: UAC 0day, all day!
  • Speakers: Ruben Boonen
  • Description: 

    This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.

    - Identifying auto-elevating processes
    - Analyzing process workflows
    - Finding UAC bypass targets

    Elevated File Operations:
    - Using the IFileOperation COM object
    - Tricking the Process Status API (PSAPI)

    Getting UAC 0day (Pre Windows RS2):
    - Analysis of known UAC bypasses
    - Understanding the Windows Side-By-Side Assembly
    - Creating proxy DLL's
    - Using the Bypass-UAC framework (
    - Dropping 0day(s)!

    Triaging Windows RS2:
    - Environment variables
    - Registry abuse
    - COM objects
    - Process tokens

    The workshop has intense hands-on labs where attendees will put the theory into practice. After attending, you will immediately be able to apply this knowledge in the field. The next time someone tells you the default UAC settings are sufficient you will be able to set them straight!


    Materials: To participate in the hands-on sections, attendees need to bring a laptop with 2 GB RAM which can be dedicated to a virtual machine. Both VirtualBox and VMware player can be obtained for free. Two virtual machines and all necessary tools will be provided during the workshop!



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.