Download - The Remote Butler Did It! - Black Hat | Home Remote Butler Did It! Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySec Chaim Hoch, Security Researcher, Microsoft

The Remote Butler Did It!Tal Be’ery, Sr. Security Research Manager, Microsoft ATA, @TalBeerySecChaim Hoch, Security Researcher, Microsoft ATA, @chaimh90

https://www.youtube.com/watch?v=LT0Z9asOedM

“Evil Maid”

waza1234/

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac

1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2

566ce74a7f25b

DC

DC

TGT

TGS

③ TGS-REQ (Server)

④ TGS-REP

⑤ UsageUser

Server

waza1234/

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac

1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2

566ce74a7f25b

DC

DC

TGT

TGS

③ TGS-REQ (Host)

④ TGS-REP

⑤ UsageUser

Host

The Cached Credentials entry gets poisoned with the new password!

The Cached Credentials entry gets poisoned with the new password!

https://www.youtube.com/watch?v=LT0Z9asOedM

Remote ButlerOr “When Evil Maid met the Cyber Kill-chain”

no RAT is needed

Defending

Parting Thoughts