Every month, Windows administrators await the swarm of updates Microsoft releases every second Tuesday. Microsoft is working towards a simpler update process, opting for an individual roll-up patch as opposed to a multitude of patches.
Regardless of the number of patches, Microsoft provides a vast amount of data for each individual update. For humans, we have the KB Articles support page, which can be found at https://support.microsoft.com/en-us/kb/<kb>. For KB 3185319, this would be at https://support.microsoft.com/en-us/kb/3185319.
The second available link is their API page, which makes the data a little easier to read for computers. This link is located at https://support.microsoft.com/api/content/kb/<kb>, so for KB 3185319, the link would be https://support.microsoft.com/api/content/kb/3185319.
These pages are great for Windows administrators. Each patch usually has a list of files that are expected for that particular update. From this data, we know the file name, version, size and modified time of each file that is expected to change on these systems.
Integrating this data with a change management, patch management, or file integrity monitoring solution can greatly reduce the workload of monitoring the environment for change.
That being said, there’s a key bit of information that is not being provided by Microsoft: the file hashes. Each piece of data provided by Microsoft can easily be spoofed by malware.
At SecTor 2016, I will be digging into how to take advantage of this lack of information, as well as how to bypass other protection mechanisms you may be using in your environment. Additionally, I will provide information on how you can protect yourself from this type of attack using built-in Windows functionality.
I will also show how to detect a potential attack leveraging these attack vectors using free tools available to anyone.
Join me on October 19 in Toronto as I take a deep dive into how you can Hide in Plain Sight.