Web shells are frequently used in website attacks. They can allow attackers to bypass web servers to access underlying operating systems or databases to steal the critical information, such as user credentials. Consequently, the operating systems can be compromised through web servers. To avoid the detection and code analysis, web shells often obfuscate their codes or add login functions to conceal their features and presence. This session will demonstrate a number of web shells and their obfuscation techniques.

DarkWeb is the misty area on the Internet. TOR (The Onion Router) is the major technology composing the DarkWeb. In this talk, I will discuss how to get on the DarkWeb, how to setup your hidden services, how to analyze the onion site, how to use OSINT skill to get more information about DarkWeb and what tools to monitor your data on the DarkWeb.

When logging into Windows, it will be via a program named WinLogon.exe. It calls the LsaLogonUser() function in Secure32.DLL, using the Local Security Authority Subsystem Service (LSASS) of Windows for user credential authentication. ‘Security Support Provider (SSP)’ of Windows can be provided by many DLLs, mainly NTLM, SAM, Kerberos, etc. At system startup, SSP is loaded into the LSASS process, allowing SSP to access encrypted passwords, plaintext passwords, or hashes stored in the system. LSASS’s authentication process uses these SSPs to obtain user credentials in various ways and stores credentials in memory such as encrypted passwords, Kerberos Tickets, NTLM hashes, etc. These credential information becomes the primary attack target for hackers before moving laterally between endpoints. In the MITRE ATT&CK MATRIX, this attack technique is called ‘OS Credential Dumping: LSASS Memory, T1003.001’, and the well-known Mimikatz is the main tool for this attack. Practically, using the LSASS Dump command is quite simple, but the speaker will share the technical principles of LSASS, the program logic analysis of LSASS Dump, and the forensics of this attack process from the perspective of cybersecurity forensics.