Needles in the Haystack: A Heuristics-based Approach to Vulnerability Discovery

What happens if you compromise a host in the target environment and all of your common tradecraft is no longer viable due to system hardening and patching? The ability to discover, triage, and exploit vulnerabilities on red team operations has become a critical skill set, especially for those targeting mature organizations. It opens many new avenues to build attack paths that otherwise would not be available with common techniques. Discovering new exploitable vulnerabilities on Windows systems, however, can be a daunting task. Many view it as a process that requires an immense amount of time, skill, and often plain old luck. Because of how critical this skillset is to our operations, we have invested an immense amount of time into honing our approach for identifying vulnerabilities that we can quickly leverage while constrained by time. This approach has continuously yielded exploitable vulnerabilities in both commercial and consumer applications in modern versions of Windows, primarily facilitating local privilege escalation (LPE) and remote code execution (RCE), but also providing novel methods of persistence and initial access. In this talk, we will share our heuristics for quickly triaging a host to identify potential vulnerabilities, discuss the common bug classes that we are hunting for, walk through their exploitation, and provide case studies of vulnerabilities that we’ve found on real world operations. After attending this talk, the audience will understand how to optimize their own vulnerability research process and how to exploit some of the most prevalent vulnerabilities we see in our work.