There are several languages and methods used to execute code on a computer system, such as C#, Powershell, Python, VBA, and many more. The defense is getting better, which has caused the offense to adapt and look for innovative ways to “live off the land”. One area that has not been explored deeply is utilizing tools that the Java Development Kit (JDK) provides. According to a statement by Oracle, Java runs on 3 billion devices. Enterprises depend on Java running on their user endpoints and servers in order to keep their businesses running. This makes using tools installed with the JDK very enticing to attackers. This talk will explore using JDK command-line scripting tools and the Nashorn Javascript Engine to perform several actions, such as downloading files, executing scripts locally and remotely, and gaining a remote interactive shell to a computer system. Detective and preventive controls will also be discussed for the usage of these JDK scripting tools.
Brett has been in Information Security for several years in the private sector working for multiple Fortune 500 companies across different industries. He has focused on both offensive and defensive disciplines, with more of a focus on the offensive side recently. He holds several industry recognized certifications from SANS and Offensive Security, and has spoken at BSides Cleveland previously. His extensive knowledge and experience in a breadth of different areas in Information Security give him a unique and well-rounded perspective. When not at his day job, he enjoys doing security research, programming, and playing sports and video games.