Windows Agentless C2: (Ab)using the MDM Client Stack

Windows Agentless C2: (Ab)using the MDM Client Stack

Marcos Oviedo

This talk unveils groundbreaking research that harnesses the Windows Mobile Device Management (MDM) stack to create an agentless C2 system.

I will provide a thorough analysis of the MDM client architecture, diving into MDM protocols, components, and workflows. The talk will reveal previously undisclosed vulnerabilities and attacks, showcasing examples of abuse and exploitation.

I’ll detail my journey in creating a custom C2 server. This process involves implementing the MDM protocols, crafting malicious MDM commands, abusing the MDM Client stack, and extending it to support second-stage payloads. I will show how the MDM client architecture can be exploited to gain full control of a device remotely, escalate privileges, disable security features, and deploy arbitrary code, all without installing a traditional agent.

By showcasing innovative techniques to exploit Windows features, I aim to inspire further research into defensive strategies against this emerging threat vector.



Marcos Oviedo is an infosec professional interested in Windows internals and reverse engineering. His professional experience spans exploit prevention, security research, and development of endpoint security solutions and tools. Marcos excels in defensive and offensive infosec projects. He has organized BSides Cordoba and contributed to the Cordoba Hackerspace. Marcos enjoys making diverse and meaningful contributions to the infosec field. He enjoys embarking on magical adventures with his two daughters when not immersed in computer security.

More Upcoming Events

No hay próximos eventos en este momento.