adversarial post-ex: lessons from the pros
TRANSCRIPT
Adversarial Post-ExLessons From The Pros
Justin Warner, Chris RossVeris Group’s Adaptive Threat Division
Overview◦Introductions◦Adversary Emulation◦Lessons From “Bad Guys”◦Post-Ex Features
▫Analysis of Bad Guy Use▫Lessons Learned▫Proof Of Concept
◦Defending Against Post-Ex◦Conclusion
$whoami◦Justin Warner
▫Manager - Offensive Services, ATD▫Former USAF Guy▫Interest: red team, reverse engineering,
PowerShell, and studying tradecraft◦Chris Ross
▫ Penetration Tester/Red Teamer - ATD▫ Python EmPyre Developer▫ Interest: Replicate adversarial tradecraft
in PowerShell and Python
Inspiration For This Talk◦Richard Wartell (@Wartotell) - Malware Is Hard, Let’s Go Shopping!
◦Offensive toolsets▫Matt Graeber (@mattifestation) -
PowerSploit Project ▫Josh Pitts (@midnite_runr) - BDF Proxy▫Jamieson O'Reilly - Mimikittenz
◦Lots of red team engagements
First Things FirstLet’s not rush this
Adversaries◦Adversary - One’s opponent in a conflict
◦Threat - The potential for the occurrence of a harmful event
▫The source and means of harm◦This is the entity on the other side of the playing field
▫A wide range of entities and abilities▫A lot can be learned by studying them
APT Like These Guys
… Or More Like These Guys
Adversary Emulation ◦A type of red teaming that focuses on the emulation of a specific adversary
▫Utilize intel to model the adversary▫Highly realistic tools▫Attempt to behave as they have before▫Many strengths
◦Some weaknesses to this approach▫Risk of handcuffing the red team▫Easy to study tools, hard to emulate
tactics/techniques (lack of intel)
Diamond Model
The Diamond Model of Intrusion Analysis - Chris Betz, Sergio Caltagirone, Andrew Pendergast
Axiom 1: “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over
infrastructure against a victim to produce a result”.
Post-Exploitation ◦Post-Exploitation - The actions taken by an adversary after exploitation
◦Some example actions: ▫Recon▫Privilege Escalation▫Credential Abuse▫Lateral Spread▫Additional Exploitation▫Sensitive Data Access▫Exfiltration
Malware Repurposing◦ The process of
analyzing malware with the intent of reusing techniques, code, or actual samples
◦ Relax… somebody else has done the work so you don’t have to
School Is In SessionBad Guys
Learning From “Bad Guys”◦Benefits:
▫Highly realistic (based on real events)▫Continuous tool ideas - “Hackers gonna
Hack”▫They have solved the problem for you
◦Downsides:▫Can be a significant effort to emulate▫Not always easy to translate techniques into
usable assessment methods▫Risk of focusing too much on known methods▫Limit creativity
Process For Emulation
See Cool Stuff◦Where can we see cool stuff?
▫APT Reports▫VirusTotal API▫Private malware sources ▫Network defenders (for internal teams)▫VirusShare
◦What are we trying to get our hands on?
▫Raw samples▫IOCs and other obvious defensive sigs▫Technical discussion over TTPs
(intel)
Analyze Cool Stuff◦Malware analysis and RE skills will be useful but are not required
▫Plenty of technical threat reporting to help guide your development
◦Learning RE is fun!“Practical Malware Analysis”“The IDA Pro Book”Endless hours reading assembly and
controlling bad guy tools◦Consider the value of generic TTP discussion rather than tool specifics
We Will Not Do This To You
Research Alternatives◦Are there other APIs or pre-built libraries that will allow you to accomplish this technique?
▫Will be useful to be familiar with WinAPI ▫.NET assemblies will have many things
implemented for you◦Is there a project that already implemented a certain technique?
▫If it is not “representative” enough, might not consider it an alternative
Implement Cool Stuff◦Don’t work too hard…
▫No need to learn C/C++ unless you are truly strict on replicating
▫Live off the land!◦Why are we such PS fanboys?
▫Native to Win7 and above▫Direct API access through reflection▫When used appropriately, memory only
capabilities can be created▫Easy to prototype, dev, test, and deploy
in a rapid manner
Tool Disclaimer◦These tools are POCs written to demonstrate concepts
▫Not all of them will be actively supported
◦Use at your own risk… learn the language and review the code!
▫Even better, start similar projects or contribute back to these
Hot Cam & Hot MicOh the things you will see...
1
Examples In Wild◦ Microphone
▫LuxNetRAT - “Over the Counter” RAThttps://brage.bibsys.no/xmlui/bitstream/handle/11250/198379/KTGardasen.pdf
MCISendString to issue commands to the
backend interface◦Webcam
▫RocketKitten - MPK ShellSimplistic custom backdoorVFW capCreateCaptureWindow API call to
create a hidden capture windowSendMessage to the new capture window
to control the camera actions
How it Works - MCI Hot MicMultimedia Command Interface - Device independent method
of controlling multimedia devices
MCI
“open new Type waveaudio Alias SecretName”
“record SecretName”
“save SecretName”
“close SecretName”
MCISendString
Sleep
How it Works - VFW Snapshot
Alternatives?◦ Video
▫Most of the tools we saw utilized DirectX and DirectShow to accomplish Video Capture
There is a .NET assembly for this!▫What does MS say about VFW:
◦Audio▫We analyzed a bunch of tools that used
native WinMM methods instead of MCI
MCI Hot Mic◦Get-MicrophoneAudio in PowerSploit “dev” branch
▫Utilizes pure reflection in PowerShell to call Win32 API in Winmm.dll
▫Writes “wav” file to disk at specified location
▫No compression
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-MicrophoneAudio.ps1
RocketKitten VFW Mockup◦Get-VFWSnapshot
▫Logically similar mockup of camera functionality in the MPK backdoor
▫Utilizes PSReflect from Matt Graeber to expose Win32 APIs
▫BUT… causes user interaction almost every time (unless camera is activated)
https://github.com/sixdub/BSidesDC2016/blob/master/Get-VFWSnapshot.ps1
...When We Listen To M$◦Get-DXWebcamVideo.ps1
▫Utilizes DirectShow .NET and DirectX Capture Library
All credit to the original authors:DirectX Capture - Brian Low - Public DomainDirectShow .NET - Unknown - LGPL
▫Captures video and audio▫Supports compression and video tuning
https://github.com/xorrior/RandomPS-Scripts/blob/master/Get-DXWebcamVideo.ps1
Toying With SkypeWhen APIs turn against you
2
Examples In Wild◦T9000 Malware - “tyeu.dat”
▫Used in APAC region for targeted attacks◦Malware is used to gather screenshots from active user and Skype for Desktop data
▫Heavy anti-analysis features :( ▫Thread 1 - desktop screenshots▫Thread 2 - targeted window screenshots▫Thread 3 - Skype monitoring via API
Video snapshotsAudio recordingsCall log
How it Works 1/21. RegisterWindowMessage
SkypeControlAPIAttachSkypeControlAPIDiscover
2. SendMessageTimeout
Custom WindowProc Function4. Messages filtered
3. Skype Alert
How It Works 2/2
RINGING
INPROGRESS
FINISHED
CALL 34243
HotSexyBod123
“GET CALL 34243 PARTNER_HANDLE”
“HotSexyBod123”
“ALTER CALL 34243 SET_OUTPUT FILE=out.wav”
“ALTER CALL 34243 SET_CAPTURE_MIC FILE =mic.wav”
Status
Call Logged
Skype Controller ◦Start-SkypeRecorder
▫Heavily adapted from T9000 malware and other third party software.
▫Utilizes pure .NET reflection to create a window and send messages.
▫User interaction will be required upon request to connect to the Skype Desktop API.
https://github.com/sixdub/BSidesDC2016/blob/master/SkypeRecorder.ps1
File System FunGift that keeps on giving
3
Example In Wild◦ FLASHFLOOD Malware
▫ APT30 aka NaikonAPT◦ Profiles host and packages up selected files
▫ Uses timestamps to measure change▫Uses deflate compression with slight mod
◦ Gathers:▫ Windows Address Book (WAB) info▫ All .lnk files from recent docs▫ All files matching predefined patterns from:
Connected drives (USBs)DesktopTemp internet filesTemp
How it Works
Desktop\accounts.doc
Windows\$NtUninstallKB885884$\FlashFiles\accounts.ldf
Newer Than Recorded
Time
Desktop\Passwords.csv
Alternate Techniques?◦ Eventing Options:
▫FindFirstChangeNotification - Win32 API to utilize asynchronous eventing to alert on file changes
▫System.IO.FileSystemWatcher - .NET class that monitors file system changeshttps://gist.github.com/HarmJ0y/4034d935a3386b96f3ac
▫WMI Eventing to detect change
◦ Numerous options available for storage/compression/encryption
▫Will Schroeder’s (@harmj0y) Out-EncryptedStore function
FileSystemWatcher Exfil◦Utilizes Start-FileSystemMonitor
▫Slight tweaks to make it dump output◦Combine with the following
▫Out-EncryptedStore - BETTER OPTIONCustom capabilityUses RSA/AES as desiredhttp://www.harmj0y.net/blog/redteaming/offensive-encrypted-data-storage
▫Write-FlashfloodFile
Replicates algorithm in FLASHFLOOD https://github.com/sixdub/BSidesDC2016/blob/master/Write-FlashfloodFile.ps1
Catching PacketzA deep look inside target networks
4
Examples In Wild◦NaikonAPT / APT30
▫“Lateral movements included copying over and remotely setting up winpcap across desktop systems… then remotely setting up AT jobs to run”
◦ RocketKitten▫MPK Shell
Raw sockets to sniff TCP/UDP◦Duqu 2.0
▫Dropped WinPCAP driver in VFS and loaded to inject MDNS replies
How it Works - WinPCAP
1- Install WinPCAP “Silently” 2- Utilize WinPCAP For Capture● Pcap_open ● Pcap_compile● Pcap_setfilter● Pcap_dumpopen● pcap_dump
sc.exe create npf ...
%WINDIR\system32 \drivers
npf.syspacket.dll
wpcap.dll
pthreadvc.dll
secretdump.pcap
Research◦Numerous other methods can be used to capture/trace packets:
▫Windows Filtering Platform Drivers▫Event Tracing for Windows (ETW)
◦Inveigh uses raw sockets to spoof▫Kevin Robertson (@Kevin_Robertson)
◦Previous work by Alex Rymdeko @killswitch_GUI
◦Several .NET assemblies help us with WinPCAP in PowerShell
WinPCap Mockup◦Get-WinPCapCapture
▫Utilizes Packet.NET and SharpPCap assemblies to accomplish capture
Credit to those authors!▫Comes with Install and Remove function
for “hot” loading of WinPCAP▫Allows you to add filters▫Stops capture when:
Timeout is hitSize limit is reached
https://github.com/sixdub/BSidesDC2016/blob/master/Get-WinPCapCapture.ps1
Defense & ConclusionIS THE WORLD ENDING?!??!
Mitigation◦There is not a single trick to prevent post-exploitation actions
▫“Users gonna use” - @enigma0x3▫PowerShell != Enemy
◦Use industry “best practice”▫Heavy auditing of environments
◦You don’t need next-gen if you don’t defend the current-gen
▫http://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/
““Every contact leaves a trace”◦ Locard's Exchange Principle
So go find the trace...
What about threat hunting?
Conclusion◦Realistic threat replication must properly model threats
▫Realistic tactics (study intel)▫Observed techniques▫Similar behavior or procedures
◦There are plenty of creative Post-Ex techniques to use
▫Don’t be so square… :)◦You are defending against a human
▫OPSEC is rarely perfect, hunt for trace evidence
Malware References◦RocketKitten - MPK Shell
◦Sha1: Eb6a21585899e702fc23b290d449af846123845f
◦https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf
Malware References◦T9000 Malware - Tyeu.data
◦Sha1: 21e78381c75184e5531dfc946cbc0c257e33325b
◦http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/
Malware References◦Naikon APT (AKA APT30) FLASHFLOOD Malware
◦Sha1: cfa438449715b61bffa20130df8af778ef011e15
◦Two good references: ▫https://www2.fireeye.com/rs/fireye/images/rp
t-apt30.pdf▫https://securelist.com/analysis/publications/6
9953/the-naikon-apt/
Malware References◦Duqu 2.0 Malware
◦IOCs:▫https://securelist.com/files/2015/06/7c6c
e6b6-fee1-4b7b-b5b5-adaff0d8022f.ioc
◦Original Post: ▫https://securelist.com/files/2015/06/The_
Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf