Infecting the Enterprise: Abusing Office365+Powershell for Covert C2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everybody so my name is Greg Dodds I'm one of the chief architects responsible for security at juniper and today we're going to be talking about combining office 365 and PowerShell for con covert command control within office enterprises I should say in the interest of time I cut out my biography slide but the Cliff's Notes version is I've been at juniper for a little bit over a year at this point prior to that I spent about five years at IBM security and before that I spent many years at checkpoint software and Nokia so moving on first and foremost our agenda we need to discuss why office 365 makes for ideal c2 infrastructure after that we're going to discuss how PowerShell fits into this specifically around the new PS Drive commands and if you're not familiar with that you can make a pretty quick guess what it's responsible for mounting local and remote file systems within PowerShell after that we're going to go through a simple four stage proof of concept I've tried to keep all the examples as simple as possible so even those of you who are not familiar with PowerShell necessarily should be able to follow along after that we will talk about some mitigation strategies and after that of course we're going to come at it from a Red Team perspective and discuss evading detection primarily focused on sandbox evasion as well as our final demo all right so first and foremost it's important to talk about office 365 adoption rates first and foremost of course credit goes to sky high for the data that they collected last year but as you can see for any enterprise it's got more than 100 users adoption rates are quite high up to 80% in some cases for certain services such as onedrive and in the case of our specific talk here we're focusing on those enterprises who have adopted both onedrive as well as share points so getting into it why it's actually interesting for commanding control as you saw in the last slide the vast majority of enterprises are alright are already permitting traffic to office 365 hopefully it's all TLS at this point but if you're going to be using the service you can make a really easy assumption that the network infrastructure and security infrastructure that's in place today has access to this already and of course we can take advantage of this but larger enterprises do the volume of their traffic have enrolled in a service called Express route that microsoft offers and with that service you actually enter into a direct peering agreement with microsoft's between your premise such as a data center and Azure and you can buy these pipes sorry you can buy these pipes in significantly large quantities so most fortune 100 s if you look at it they've at least got a single 10 gig link in to assure at this point if not multiple ones so due to the aforementioned volume of traffic and generally associated level of trust most enterprises today are not decrypting any traffic at least from a TLS perspective going to office 365 they may be looking at email but generally not web traffic's so we can of course take advantage of this another minor advantage of course of using office 365 is it can be considered an out-of-band method of attack so when you're interacting with your target your target is communicating with microsoft's IP ranges and not necessarily your own not to say Microsoft isn't monitoring what you're doing on their service but your target generally will not see what IP are coming from and this is really one of the focuses of the attack of the the talk rather but when you are mounting as an example a SharePoint drive on a target which is something you can do and we will get into it on this talk you can do it in a way that's invisible to almost any service that the user or the admin is running so when you mount one of these drives you can have a remote filesystem point on your target but it's invisible to File Explorer WMI and anything built on dotnet frameworks like net use as an example so it's extremely difficult to even track the usage of these things let alone for a typical end user to identify that hey I've got this remote drive on my system and of course if you are subscribed to to do B solutions assuming they're even able to identify that a PowerShell drive has been mounted generally speaking they don't view network storage as being outside of the enterprise so you're able to transfer things assuming your coming at this from a data exfiltration use case they generally don't see it as being an issue whatsoever of course because whom else drives outside of their enterprise that sounds like a bad idea so Microsoft of course saw this coming so even if you're able to figure out how to mount a remote sharepoint drive as an example you don't actually get read or write access to that drive so if you want to actually be able to use that drive you need to figure out a way to fetch a sam'l token from office 365 before mounting that drive and as an example I've mounted a drive here and I'm simply trying to echo test into a test file and are presented with an error so I'll read this for the guys in the back but basically all it says is when you try to write a file you get access denied before opening files in this location you must first add the website to your trusted sites list browse to the web site and select the option to log in automatically sounds easy right so this is where PowerShell comes in so fortunately or unfortunately for us Microsoft has spent a lot of time developing the libraries in PowerShell so that it can interact with and control Internet Explorer and we can use this of course to load up portal dot office comm we can avoid any single sign-on technologies of course if a target is already using office 365 generally speaking when you navigate there you'll be automatically logged into their account which will of course defeat our purpose and then we can enter credentials click on a few buttons and we can do all of this without launching Internet explorer in a way that the user can see it so if they're staring at their desktop and you do this nothing pops up so an important part of the talk of course but if anyone can come up with a legitimate reason for being able to set ie visible to false I will buy them a cookie you can find me after so face one of course for our first proof of concept is being able to get that sample token since we can't do anything without its and this is just the site that you are the page that you see when you actually navigate to portal dot office com you actually get redirected to log in Microsoft online comm and then a very important check box this was actually what triggers that sam'l token to be pushed is the keep me signed in button of course and we're using bad guy as our user so it's gonna take a quick drink this is some again very simple PowerShell we've got clear text credentials of course since again we're trying to keep things simple we go through initially killing internet explorer so we can manipulate what we need to online five lines seven through ten is using run DLL thirty-two to simply clean up forms passwords and cookies which is generally where SSO lives twelve will instantiate ie thirteen as our lovely set a evil to false which means it's not going to pop up for the user to see the next couple lines actually navigate to the URL and we sleep while Internet Explorer is loading it to deal with latency but then thankfully for us we've got the ability to search for specific element IDs within powershell so we look for specifically our user ID input text our passwords and then the most important one is keep me signed in as a checkbox we set it to checked and true and then we actually have to go in and click on the buttons of course so there are is some filler text that you will see basically sample usernames that you actually have to click on to delete and then we click and click on sign in so this is our first demo it's a very simple of course and we've set I equal so you guys can follow along with what's going on but we load things up you can see the sample text here so someone an example you do have to click on that unfortunately for it to go away but we're just gonna copy paste in the powershell that we were looking at before we can see IE pops up we delete our cookies and it takes about one to two seconds for this to happen and we're presented with bad guys sharepoint dr easy enough so Phase two of what we're trying to do here of course we need to then add SharePoint into our trusted sites so we can mount the drive and then of course most interestingly is actually matching the drive itself so again we have to define some credentials to use for our SharePoint Drive and they do need to be stored as a secure string which is why you see that up there but generic domains are generic credentials I should say then we actually have to go and add some registry keys so that I recognizes the place as a trusted site I'm assuming most of you guys know how to do this at this point but basically all it is is doing you're setting a location you're creating a key and then depending on the OS version so in Windows 10 you'll see this pop up as red text but you may have to hard-code your sub domain in there in this case bad domain Windows 10 you don't have to do that of course and then we just add some D words so generally speaking you still only need to add HTTPS here but we've added HTTP and a wild-card just in case there is some strange web peroxy downgrading or something else is going on the wire and then of course 16 and 17 are the root of what we're trying to do here but mounting the drive itself so new PS drive is pretty simple to use and by default it will mount a temporary drive which disappears after the shell has been closed but it's also harder to detect of course so for our purposes that's what we're gonna do we specify the name so we've gone with J Drive we set the provider to be the filesystem of course and we specify the root directory now it's a long string of course but we've specified eviler - my SharePoint comm and the most important one is SSL of course so it gets encrypted excuse me and then we specify root personal and then the the full username and domain and we specified documents as the root directory and then we feed in the credentials it's not too difficult but we're gonna have another demo here of just going through this quickly and as we mentioned before of course in File Explorer most users are going to interact just simply by clicking on my computer or my PC depending on the version and they're gonna see devices and drives pop up first and of course you're gonna see that this is not present so we're just looking to zone map obviously nothing is there right now I'm gonna show get PS Drive which is a way to actually display PowerShell drives but of course we can see nothing is mounted at all other than C and D at this point so we're gonna paste in the powershell that we were looking at before there's the red text e what expects but now we can see that g has actually been added and we can see the full path there as it's on SharePoint at SSL so we're gonna see D into the drive and we're gonna validate that we now have write and read access to the directory so nothing's present right now but we're gonna echo in this is a text into a test file and we're gonna see that it works so we can see we now have a a usable Drive thankfully and we can see the full path there if you'd like to look at it and we'll validate that we've also got read access which isn't necessarily implied but we can just you get content on the file and we see that this is a test so checking out file explorer again we can see again refreshing it the user sees nothing they are completely unaware that there's a drive now mounted on their system and of course going back and refreshing we now see sharepoint with all of our d words that we would expect alright moving on so phase 3 is actually doing something interesting of course again in the spirit of keeping things simple we're just simply going through were identifying all files in the users directory where quote-unquote stealing all of their PDFs recursively within their users directory and then for the c2 portion of things we're going to go and run some commands so today's commands not txt and most of you are probably aware this are any of a powershell by default prevents you from running powershell scripts on a default install of Windows so there's many ways around that specific execution policy restriction but the simplest and probably my favorite is simply reading in those commands from say a text file and piping them into PowerShell that's good enough to get around that restriction so I'm gonna have another simple demo here we can see that we're currently in our sharepoint drive we're gonna paste in the commands we were talking about earlier and we can see it slowly go through and identify all the files and identify and upload all PDFs into that sheriff so this is coming at it from the data exfiltration perspective of course which is most concerning to enterprise customers of course it's not the only thing you can do but it's an example so we can see we've got current files we've got financial statements etc etc just a demo and we can see that we've now popped calc and we've loaded up blackhat calm nice and simple so I guess for the purposes of the talk obviously that's nice but we need to look at it weaponizing it a little bit so we've gone with something simple again and just gone with a macro enabled Word documents and doing this just using unicorn so one of my favorite tools of course written by trusted SEC but it's probably the easiest way to take some raw powershell that you've developed and instantly convert it into something you can paste into vb editor and use as a macro it's very simple and i'll show you how to do that as you'll see on the next slide at least using this method most detections for endpoints tools are relatively non-existent and unicorn although it's not overly affected with sandboxes it does try to evade them by delaying detonation until after the documents been closed so you can try to remember this hash for later but it starts with C 10 and in F 83 but at the time of submission our quote unquote totally legitimate document was only detected by 4 out of 58 vendors and it's likely that the four that did detect it identified a generic string that unicorn uses as an error message so if they look for that they can usually find unicorn quite easily and again for those who haven't actually seen the output of what unicorn creates when you generate some powershell or feed a powershell i should say this is just what it looks like inside of vb editor and you see that generic string down here hopefully yeah you can see my mouse you've got the document appears to be made on an older version of microsoft please have the creator save to a newer and supported format so frankly that works on a lot of users of course but you can write easy signatures to look for that string so if you're going to do this in a real pen test of course probably change it so this is the final demo for the first proof of concepts we're looking at the attackers machine of course so this is on share points and we're simply we were just refreshed it and we're gonna look at today's commands of course this is completely arbitrary we're just poppin calc in this case and loading up ie but if you're doing this for real you probably look at adding some type of persistence mechanism or something else that allow you to do this on a recurring basis so looking at our powershell you'll notice that it's it's called compressed instead of having every line generator carriage return VBA derp is very particular about how many carriage returns are present in the file so you can actually compress say a hundred lines of PowerShell like what you see here down into one line simply by deleting the carriage returns and replacing them with semicolons there is a very low limit when it comes to carriage returns in most macros so we can see what it looks like and we're just feeding this in a unicorn it's very simple so basically you just specify that what powershell you'd like to use you specify that you want to generate a macro and you create your character limit of 500 and that is all you have to do - now get powershell attack that txt and that is a fully working macro with whatever powershell you've given it so that's what it looks like it's important to note depending on what application you're targeting you may have to change the sub-game so in this case by default unicorn adds an underscore between auto and open this works for excel but it does not work on word you actually have to delete the underscore and make sure the macro is named correctly as well it's a little finicky but just so that you're aware alright so moving on so we're we're now looking at corporate drones workstation and we're gonna need to use a bit of our imagination and assume that he's been the target of some type of phishing attack but totally legitimate document has now ended up on his desktop as we can see there and unlike most users more for the purposes of the demo we've got Wireshark running here with a search query specifically looking for SSL handshake extensions for the SNI of portal office.com and this is just a display what your security infrastructure is going to identify on the wire when these attempts are made assuming you're not doing SSL decryption so we'll come back to that in a minute and we're just going to show the hash here so you guys can try to remember or recall what it was in the last slide but it's C 10 F 83 and yes you can do this through PowerShell but this is easier to read at the back anyways moving on so we're gonna actually execute the document and as you would expect word has built-in macro protections so I actually before it goes I lifted this from an actual sample of malware which I guess is the credit to Norton but end-users find this very trustworthy and for those of the back it simply says the documents been secured by Norton to view this protected document click enable content and this type of message works on a very large percentage of end-users unfortunately so just clicking it we see that generic message pop up saying older version of words try to get a new one from your from your sender and pressing ok of course from the users perspective nothing happens it goes blank as you would probably expect but jumping on Wireshark and looking at the wire we see multiple requests to portal office comm and that's all you see so if you are not looking at doing SSL decryption between your enterprise and office that's what you see it's very difficult to identify this as being any type of malicious behavior whatsoever especially if it's being run once moving on of course calc eventually pops as well as blackhat coming up that we can see you moving back to the attackers machine as you would probably expect the files that we looked at before have now been uploaded into SharePoint we can click on the desktop we've got it named appropriately for that specific user going to uploads and we can see once it loads that all of the files that we would expect to be there are now there and it's um it's surprisingly easy to do this as you guys have seen all right so as you would expect just a list but again it's a demo it's a proof-of-concept you guys can use your imagination and think of what an actual pen test or something worse might be conducting here so for the blue teams in the room of course the easiest way of course the CIM at this is from the network side but it does require you to decrypt TLS on the wire which can be of course expensive if you want to look at actually blocking this inline instead of dealing it with it as kind of an incident forensic perspective after the fact you can create custom signatures with most products that identify either your office domain or negate that so that any other domain other than yours gets dropped immediately you can do of course endpoint log forwarding you can pick your product or choice obviously Windows has built-in utilities to do this as well by just creating alert every time new PS drive is used or doing bulk analysis you can reach out through WMI or whatever you'd like and just run get PS drive and look at the outputs of course and see if the sharepoint tries that are mounted and if there are is that ok this is more suggestion for forensics of course but network devices not just firewalls but anything with NetFlow or something that's keeping track of the bike counters on the flow stemcells coin can identify extraneous external uploads of course so in a normal connection you'll see a disproportionate amount of bytes allocated to the server side of course since the client is requesting data but in an external upload of course your client maybe has a ten to one or twenty to one ratio with the amount of traffic it's generating versus the server so they do stand out quite well again for data exfiltration and of course depending on how you're coming into the network itself you can defend against a lot of this using some type of sandbox of course behavioral analysis does work sometimes and of course email is the primary factor that were concerned about here so what about sandbox is we've kind of already touched on this of course but this specific techniques insisted just generic PowerShell detection rates are pretty low especially for static analysis engines and obviously signature-based again we've kind of touched on this as well but sandboxes do not like when you're modifying the registry and interacting with the browser in some way shape or form so what can we do about sandboxes and before we get into this I'll just give you a really quick primer on sandbox evasion at guess so initially it started out there were a couple different camps on how to do this but primarily folks function focused rather on sleep functions so if they're able to out sleep the sandbox of course given that most sand boxes have a hard-coded timer set whether it's 5 minutes 10 minutes they have a limit amount of time to determine that a file is actually malicious or not and of course using sleep is a very simple way to sleep longer than the same box looking at VM detection just generic VM detection system properties how many CPUs you have how much RAM if you're using say paravirtualized storage drivers anything like that that gives away that are the VMS there VMware tools VirtualBox add-ons etc there's many many ways to determine that you're in a VM but as an industry we've overcome almost all of these of course then we get into more complex attackers of course that have started fingerprinting vendor or individual vendor sandboxes of course so it should come as no surprise but if you are building a custom sandbox there is going to be some sort of artifacts from your technology on that OS whether it's dll's kernel hooks specific drivers there's something there that probably gives it away that it's the sandbox but again we can do pretty well especially if we've gone to something like bare metal when we're we're detonating these payloads after that of course this one's still a little hard to overcome from a sandbox perspective but doing generic human behavior analysis within the VM itself is still quite effective just looking for say ensure the user has scrolled through say 50 pages or check the browsing history make sure it goes back 6 months and that they've bookmarked website X is still a pretty effective way to get around sandboxes the last two are more concerning of course what a lot of vendors technology requires a sandbox to be vulnerable to that specific exploit for them to be able to TechEd it's been executed so an intelligent attacker can make an assumption about their target saying hey I know this enterprise this patch management schedule usually takes a 12 months to catch up if I pick an exploit that's 18 months out 18 months old I should say and detonate it or check its vulnerability status rather I can make a reasonable assumption that if it's vulnerable I shouldn't be detonating my payload because I'm probably in a sandbox or some type of honeypot that one's problematic to deal with and arguably the most problematic would to deal with at least as far as I guess a global sandbox issue is just delaying execution through generic routines so the best example here is computing PI to 10 million digits on a slow sandbox that can take days and the sandbox doesn't necessarily view that as malicious especially if you say apply some type of nice level where it's not consuming much CPU if it doesn't detonate until it's computed PI it's very very difficult for sandboxes to identify this type of thing but we're working on it so what else can we do on the probably most effective method that I'm aware of right now is designing malware that places malicious payloads and interesting locations that are likely to be detonated by the end user but they lack the ability to detonate themselves completely so I know that's kind of nebulous but as a specific example as a malware author you can look for recently accessed files such as say the last 10 modified documents and make a reasonable assumption that a user will come back at some points and try to model and whether it's a grocery list the presentation doesn't matter if you embed something into those files you can make us an assumption that it will get triggered eventually and of course the sandbox has a very hard time dealing with this so this is just a quick example on how to find your last top 10 modified documents and then sort them and then of course most usually provide the full path to them so we've got a couple options if we're going to try to do this through a sandbox easy mode is simply outright replacing those files with malware same name same extensions same icon sometimes works but honestly it's it's not that effective hard mode which works quite well but it does require some permissions or at least making some sumption 'he's about the environment before you launched it but it does you are able to inject macros into existing Word documents and then exits and of course the sandbox will not follow up and then detonate that word document it just sees that hey you ended vbscript somewhere that's not really a problem from my perspective or my personal favorite at the moment replacing those files with shortcuts that then point to a malicious second stage in a whitelist of location such as offices trusted locations which override a lot of the generic protections such as macro before your files so instead of getting that and able content pop up it just automatically detonates once it's launched and this is surprisingly easy to do so as you can assume since you're not distributing malicious payloads in your first stage you do have to have some way of downloading that's malicious second stage to the endpoint and the easiest way of course is web clients although as many of you may be aware you'll generally get flagged by an AV vendor because it's just a generic trojan.downloader this is pretty common of course so there are lots of other methods but if you're just if your sole purpose is getting that office 365 Drive mounted because frankly once you have a local mount on a file system your job as a pen tester becomes immediately easier almost infinitely easier because even interact with it using normal user commands instead of fetching and doing other nefarious things but if you need to get that and you don't want to use web client you can use reverse shells and paste it in manually you can do tunneling through ICMP DNS take your pick just get it there somewhere somehow rather and again that's kind of alluded to in the last slide the most effective place to put this assuming or sticking with Microsoft Office documents is to put it into one of the trusted locations they are not protected locations but they are white listed so when again the user opens up that shortcut it's going to link to the malicious file which no longer has any of the traditional protections that work provides you so I know sorry I know I said I would keep it simple and this is a lot of PowerShell on the screen but it's still quite simple so again we're looking at our our top files on the top and we create two arrays one was originally the the normal file so the top ten documents and then we create another array that simply replaces our doc X's with shortcuts so LM case and then we have a simple for loop so for every file in that LNK array we create a new object which is a shortcut of course and we point that to our again totally legitimate document keeping things consistent and that resides in that trusted location which is app data roaming microsoft word startup etc saves it and then it sleeps for one second to ensure that all of the files don't have by I guess similar or identical timestamps and after that on so line 18 down basically it's just fetching the file it is using a web client just to show you a different way of fetching the file but it's still hosted on SharePoint and you excuse me sorry still good I think all right the URL is all there so you can actually generate that URL by doing get link or copy or share through one of the gooeys that you have the only minor modification you have to do is replace guest access with download ASP so generically if you use the normal link it's gonna open up a browser and it's going to navigate to the online portal forward and let you maybe have read access or right depending on where you generates so that's the full link of course web client downloads it and then we make an assumption of course that 7-zip is present on the endpoints but we're doing that so that we can have an encrypted payload leas frankly most tools even if they're able to intercept that web client request they don't necessarily alert you if they're unable to extract an encrypted payload so in this case we've got latest forms dot 7-zip innocuous sounding and then we basically feed in the password of blackhat 2017 password one two three four five on the line 30 down here and then we extract that into our trusted location and then we clean up and delete the the original files excuse me all right so this is a bit of a prettier demo but this is corporate drone again and he's the subject of a phishing attempt which simply reads hello corporate drone as discussed please find my cover letter attached to the email thank you for your consideration very generic attempt of course and then we've got our original documents on the right hand side we can see the path of course to just see user name documents where you would expect it so corporate Jones maybe learned a few lessons over the last couple months and thanks hey this is pretty suspicious maybe I shouldn't open it so he's gonna run it through defender and then he's gonna try a sandbox did you extract it to his desktop which arguably is kind of dangerous anyways but he's gonna run it through defender and we're assuming lis going to go around it just fine scanning the whole desktop to be certain and defenders not flagging it so he's going to try something else and we're gonna use kuku here and just an immediate shout-out to the cuckoo guys it's a fantastic product really recommend checking it out and if you aren't aware most major commercial sandboxes are actually leveraging cuckoo as well for at least part of their infrastructure it's a very nice easy-to-use tool so here he's saying I'm gonna specify that it's a document and see what happens and for the I guess save one time we've sped this up of course but the report comes out and immediately you can see that the threat level of the file is not considered threatening it's one point eight out of ten it's not a perfect analysis of course but generally speaking anything under four depending on the product you're looking at seven or eight will usually get through anyway so he's gonna go and look you can see screenshots you got a full behavior breakdown but he sees that oh hey it looks like there's a version issue it's the same error we saw with the unicorn from before of course but he's gonna keep looking and he clearly knows enough to be dangerous but he hasn't really learned that launching tower shell I would have word is probably a bad thing but um it's there of course it dropped some files as you would expect but frankly it's not doing anything bad from the sandboxes perspective so he thinks it's okay so he's gonna go and open it and we're gonna see what we probably expect here we enable content it's a macro right it's not interesting and then we press ok and then immediately we see our documents have suddenly transformed from documents into shortcuts and of course they look like doc ends you can change that if you'd like but now they are only a shortcut pointing to that malicious file so you can see when you open the path specifically it's sitting in that app data trusted location so when you go and click on and of course he wants to work on its grocery list you don't actually open a grocery list you go to your malicious file and in this case you've noticed you did not have to click enable contents so it is a very effective way of getting a malicious payload detonated without obviously worrying about the user cooking on things so what is next so this is a lovely proof of concept of course but you can't necessarily take it home obviously if you have a reverse shell you can copy/paste this in or just copy from github that I'll give you links for but having a tool that does this for you would be nice so specifically working with Empire rather excited about it frankly on a office 365 listener module very similar to the module that was just released for Dropbox excited about it we can talk about that after if you'd like after that of course logically Metasploit makes the most sense I'm taking feedback right now on what you guys would think is useful in this case but it's gonna be a generic kind of proof of concept initially and then most importantly just due to the time constraint that we had here we didn't really have time to talk about the api's within office 365 but being able to leverage those within the tools would obviously make a lot of sense right now the api's are somewhat limited when it comes to sharepoint they're almost non-existent but a onedrive does allow you to interact with the file system as well as add and remove files so that that can of course have a lot of value so closing remarks I think I've kind of beat this to death at this point but you need to decrypt your TLS traffic it's unfortunate but it's a real especially if you want to intercept this communication on the wire it's fine to do incident response after but this will actually prevent these types of attacks before they occur so again you can monitor for PS Drive usage or you can deploy signatures if you're decrypting the signatures are quite effective at stopping this of course but it does come with a resource penalty on your network appliances so this is more of a an industry-wide problem I suppose but Sam boxes need to get better only basing your analysis on the first file in the chain not necessarily looking at all files and how they behave is kind of a flawed approach frankly you do need to do secondary or tertiary file analysis to detect this stuff and of course inspiration none of us really work in a bubble here of course but the initial inspiration came out of a talk that George and Dmitriy were doing from CrowdStrike back at RSA in February and they were talking specifically about techniques that bears and pandas were using but for this talk of course this came out of their cozy bear analysis that was using net use and the public version of onedrive so it's a little different of course and it's it's much more easy to block in an enterprise than office 365 but it's a similar approach of course and then of course Kaspersky Labs has a very similar write-up on cozy Duke so as far as references go you guys don't have to write this down the slides will be up later of course but all of the PowerShell that we used here is available and that's it thank you [Applause] [Music]

Info

Channel: Black Hat

Views: 8,957

Rating: 4.9259257 out of 5

Keywords: Black Hat USA, Black Hat 2017, Black Hat USA 2017, InfoSec, Information Security, Black Hat, BHUSA, Office365+Powershell, Malware, office365, powershell

Id: CvEXzHkhcjo

Channel Id: undefined

Length: 36min 28sec (2188 seconds)

Published: Mon Dec 04 2017