Cheatsheet - The powers of "limited" Windows accounts

While using a non-admin account for everyday tasks is a sound and highly recommended security measure, it is important to keep in mind that it should only be one layer of your security posture.

It is easy to underestimate the amount of damage that can be done by malware running as a "limited" Windows user, even without resorting to privilege escalation. Here is a quick roundup:

  1. keylogging / password stealing
  2. file encryption (e.g. Cryptowall)
  3. silently recording audio/video
  4. banking trojan infections (e.g. Dridex)
  5. persistence (surviving reboots)
  6. formatting external FAT drives
  7. infecting USB sticks
  8. sending out any data (outbound FW rules typically won't help much)
  9. browser hijacking
  10. joining a botnet
  11. hosting content
  12. reading memory of other processes (e.g. Keepass)
  13. serving a remote console (e.g. VNC)
  14. port scanning / network recon
  15. Active Directory enumeration

Did you know you all of the above could be done with a regular account?

Follow @hexatomium

View my LinkedIn page (Firas Salem)

Microsoft silenty adds Amazon root certificates to its CTL

Microsoft has just pushed a new CTL update with 6 new root certificates, 4 of which are for a brand new root CA: Amazon. This conveniently occurs just in time for Amazon's Certificate Services go-live. But what should have been a fairly ordinary update is raising a few red flags.

  1. Amazon is reported to have some close ties to spy agencies.

  2. The new roots have not been announced by Microsoft. Their Program Participants page is oddly silent about the changes. Additionally, it's interesting that Starfield (another root acquired by Amazon last year) does not appear in there either. Hopefully that's just a coincidence - I will not to speculate on that.

  3. No other trust store provider (Mozilla, Google, Oracle) trusts these roots as of today.

RCC detecting the new roots:

By the way, if you are running any supported version of Windows, be aware that you are already effectively trusting them now, even if you do not see them in the Windows Certificate Manager.

Follow @hexatomium

The Executable Palindrome

What happens when you mix palindromes, a pinch of ASM, and a New Year hangover? A tiny 600-byte executable binary palindrome :)

This tiny Windows EXE will run identically even if all bytes are reversed.

Of course it does not do much (actually all it does is exit with a specific return code) but it's a new type of palindrome, an executable palindrome.

Also to make it a little more fun, one extra twist i added is to place the entry point (EP) in the mirrored half. Also, the actual executed code is contained within my New Year greetings :)

Building an executable palindrome part is actually simple. In fact, most EXEs can very easily be turned made into palindromes (with the possible exception of digitally signed EXEs.)

Wanna give it a try? Grab it from here (or manually type in the above bytes using a hex editor, to experience a true hacker's high!)

BTW, this would not have been possible without the awesome PE resources maintained by corkami.

Follow @hexatomium

Microsoft quietly pushes 5 additional root certificates

Again, Microsoft just added 5 new and undocumented root certs to the Windows CTL. And again, without communicating about it. I still fail to understand why their official list is now out of date by more than a year, while Apple, Mozilla and Google all document the changes in a much more transparent and timely way.

Anyway, here are the new kids on the block. If you are running any supported version of Windows, you're trusting them now (provided you already received the November 20 automatic update).

 010c0695a6981914ffbf5fc6b0b695ea29e912a6   GR  
  Hellenic Academic and Research Institutions RootCA 2015

 9ff1718d92d59af37d7497b4bc6f84680bbab666   GR  
  Hellenic Academic and Research Institutions ECC RootCA 2015

 4caee38931d19ae73b31aa75ca33d621290fa75e   AT  
  A-Trust-nQual-03

 9b0959898154081bf6a90e9b9e58a4690c9ba104   CZ  
  I.CA Root CA/RSA

 f02b70bde4eae02b207377b9fd4785e4c9cc55dc   CN  
  China Financial Certification Authority Identity CA

Follow @hexatomium

View my LinkedIn page (Firas Salem)

Conway's 1K Binary Polyglot

Now you can play (or rather, watch) Conway's Game of Life in a browser and on the C64 - using the same 1K file!

As an HTML5 file, the game will run in any modern browser on Windows, Linux, OS X, Android or iOS. However, just rename the file extension to .PRG and it's ready to (natively) run on a C64!

For more info on binary polyglots: google "corkami".

Download

 Size: 1024 bytes
 Hash: c649f20d3cb59e474d1f578143242c64 (MD5)

Credits

 c64 code: ruk 
 js  code: Daniel Bali 
 polyglot assembly: FS1 

Follow @hexatomium