Ettore Bordoni Relatore

Lista Talk

• Legitimate Until Proven Otherwise: Emerging Initial Access Techniques As phishing and common exploits become increasingly mitigated, adversaries are pivoting to non-traditional, low-visibility initial access vectors. This presentation examines three such techniques (validated through real-world incident response and threat intelligence reports) and analyzes them from both a detection and hardening perspective. First, Rogue RDP weaponises .rdp files to force outbound sessions where drive-redirection silently mounts the victim’s \tsclient share for exfiltration or payload staging (no local code execution required). Second, we expose ML-framework deserialization RCEs: PyTorch CVE-2025-32434 (torch.load, weights_only=True) and Keras CVE-2025-1550 (Model.load_model, safe_mode=True), both enabling attacker code during model loading in CI/CD or inference services. Third, FileFix (ClickFix variation) chains browser clipboard abuse with Explorer’s address-bar autostart to pop hidden PowerShell with a single paste. For each vector: an annotated PoC (offline/safe), high-fidelity telemetry, and ready-to-use Sigma/YARA patterns + SIEM queries (SPL/KQL). A hardening matrix maps mitigation controls across tactical measures (e.g., drive redirection policies, import allow-lists) and long-term strategies (e.g., model signing, userland segmentation). This session aims to equip blue teams with both actionable detections and a practical roadmap for reducing exposure to these evolving initial-access techniques. - 16:00/16:45, 15 Nov 2025