RAT - Repurposing Adversarial Tradecraft

Transcript

1. RAT
   “Repurposing Adversarial Tradecraft”
   

   View Slide

2. Overview
   Introduction of topic
   ◈ Who am I
   ◈ Where I come from
   ◈ Topic Intro
   ⬥ What is RAT
   ◈ What i’m trying to
   accomplish
   Adversarial Tradecraft
   ◈ Tactics, Techniques
   and Procedures (TTP’s)
   ◈ Tools that can be
   integrated
   Adversaries Covered
   ◈ Duqu
   ◈ Hacking Team
   ◈ APT 29
   ◈ ProjectSauron
   

   View Slide

3. Who am I?
   I am Alexander Rymdeko-Harvey
   I am Pentester / Red Teamer, Previous US ARMY enlisted and have worked on the following:
   SimplyEmail, SimplyTemplate, EmPyre/Empire
   You can find me at @Killswitch-GUI
   

   View Slide

4. Some Background on the tools developed:
   ◈ Strong background in Python and common tradecraft
   ◈ Six months ago I had barely any C++ skill set when it came to development
   ◈ Tools developed are POC and are weaponized for specific use cases with multiple
   languages (Python, Powershell, C++)
   ◈ All are open source and can be found at Github.com/Killswitch-GUI
   ◈ I don't know if I will maintain or expand weaponization
   Major shout out to the entire team for the help and aid developing these , especially:
   Matt Graber | Justin Warner | Chris Ross | Lee Christian | Matt Nelson | Rohan Vazarkar |
   Keelyn Roberts
   

   View Slide

5. Topic
   Intro
   Let’s start with the first set of slides
   1
   

   View Slide

6. What is RAT?
   Repurposing adversarial
   tradecraft stems from the
   traditional sense of warfare and
   evolving your force to meet a
   threat.
   - Justin Warner has a great 3
   part series on the Red Team.
   https://www.sixdub.net/?p=705
   What is this all about?
   Why so important?
   - Pushes the community
   forward
   - Educate yourself and the
   client of the newest attack
   vector
   

   View Slide

7. “
   Red teamers often
   differentiate themselves from
   pentesters in that they
   “emulate adversaries” yet how
   often do we hear them talk
   about actual adversarial
   TTP’s based off real world
   threat intel?
   

   View Slide

8. What I’m trying to accomplish
   Taking the time to analyze reports:
   ◈ The need for threat replication
   ◈ Helps produce capabilities
   ◈ Advance the team's capability
   Find some of this code that actually compiles …
   Every tester should understand what the actions they are doing
   in the background
   

   View Slide

9. Duqu
   2.0
   Stealth | Precision | Leverage
   2
   

   View Slide

10. What makes Duqu Special?
    WMI Data Collection
    ◈ Enumerate process info
    ◈ Remote registry collection*
    ◈ Extract user info / files
    Driver Management
    ◈ Start / Stop Drivers
    ◈ Load Drivers
    ◈ Write Drivers to disk
    Situational Awareness
    A unique set of tools that allowed
    data collection and provided
    awareness to operators.
    ◈ Detects running sniffers
    Network Leverage
    A slew of network based attacks
    and collection methods.
    ◈ PCAP*
    ◈ NetBIOS
    ◈ WPAD
    Persistence
    Unique persistence or lack of
    persistence for such an aggressive
    threat.
    ◈ TTP’s and confidence
    ◈ Rarely implanted
    mechanism
    AD Query
    ADSI query and GC enumeration,
    think PowerView! This allows for
    all that PostEx fun.
    

    View Slide

11. Hacking Team hackers talk about their
    Tradecraft and methodology
    Persistence
    

    View Slide

12. Duqu style persistence
    In Memory
    Duqu reports indicate
    that the malware lived
    exclusively in
    memory.
    - This is a common
    practice as operators
    today
    - We do however need
    to plant persistence on
    long term operations
    Location Based
    Reports indicate that
    agent implant location
    was a large factor.
    - This dictated the
    survivability of agent
    - Picked high uptime
    server / Data centers*
    HIPS Avoidance
    Stealth is an obvious
    concern, staying off
    disk and avoiding
    potential HIPS.
    - Dropping to disk poses
    a risk to be caught by
    heuristics etc.
    

    View Slide

13. What was the driver to build this TTP?
    ◈ On a few long term engagements that required persistence
    and ability to OP (30+ Days)
    ◈ Need the ability to maintain constant C2 for backup
    ◈ This tool came in handy on more than one occasion and
    allowed for success
    

    View Slide

14. Questions you need to ask yourself on a OP?
    

    View Slide

15. Building Survivability Rating!
    Invoke-FindPersistence
    ❏ Main entry point
    ❏ PowerView!
    ❏ Enumerates target
    domain
    ❏ Filters: OS, Service Pack,
    SPN, ADSPath, Filter,
    ComputerName
    Invoke-Ping/Test-Wmi
    ❏ Feed computer object
    into Ping
    ❏ Feed up object into
    Test-Wmi to check for
    RPC
    ❏ WMI objects are full of
    properties (Pass
    Win32_OperatingSystem
    )
    Calculate Values
    ❏ Calculate Value from
    0-100
    ❏ This is dependent on type
    of property
    ❏ Calculate weighted
    average to percent
    ❏ Calculate Persistence
    Survivability Rating
    Build Statistics
    ❏ Calculate Mean PSR
    ❏ Calculate Standard
    Deviation of PSR
    ❏ Variance Id’s hot spots!
    Calculate Weight
    Obtain WMI
    Get-NetComputer
    

    View Slide

16. Running the script..
    ◈ Threads
    - Allowed for extremely fast WMI tests and data collection
    ◈ PowerView Get-NetComputer as the searcher:
    - Allows for very granular host selection ADSPath, Filter and OS
    ◈ Tips:
    - Find a custom “OU” for servers | PS> Get-NetOU -OUName *server*
    - Set -MaxHosts to a reasonable query size
    - Set -OperatingSystem to server versions
    

    View Slide

17. Persistence Survivability Rating
    Query
    Weighted
    Value
    Implemented
    Boot Time Get-WmiBootTime 40% Yes
    Install date Get-InstallDate 5% Yes
    OS Level Get-WmiOS 5% Yes
    System
    Enclosure
    Get-WmiSystemEnclosur
    e
    10% Yes
    Architecture Get-WmiArch 5% Yes
    Disk Size Get-WmiDisk 5% Yes
    Processor
    Count
    Get-WmiProcessorCount 5% Yes
    Processor
    Cores
    Get-WmiProcessorCores 5% Yes
    Processor
    Speed
    Get-WmiProcessorSpeed 5% Yes
    Process Count Get-WmiProcessCount 5% Yes
    Persistence Checks
    Query Impact
    Implemente
    d
    VM Checks
    Truth of
    data
    Yes
    WMI Event Logging No
    Portable OS
    Implant
    Location
    Yes
    

    View Slide

18. Calculating the Mean → Calculate the Standard Deviation → Calculate Variance
    

    View Slide

19. Quick Demo!
    

    View Slide

20. Why 0day when you don't use
    SMB signing?
    Network Leverage
    

    View Slide

21. Duqu style network collection
    Modular Build
    Duqu reports indicate that
    the malware was modular in
    nature.
    - Common in malware and
    allows a custom build of
    agent
    - Reduces operational risk
    - This dynamic execution is
    emulated via reflective
    DLL’s
    Sniffer
    Duqu used legitimate
    WinPcap (npf.sys) driver for
    sniffing!
    - Full network stack capture
    - Ability to spoof and alter
    network stack
    Network Attacks
    Although Duqu had plenty of
    offensive capability,
    common network attacks
    integrated?
    - Allowed for NetBIOS /
    WPAD Attacks
    - Why use 0day or burn
    TTP’s if WPAD attack
    works?
    - Beyond AD in cases where
    separate network
    segments exists
    

    View Slide

22. UserMode
    Within usermode options are very limited.
    Elevated context is required and limited
    capture available.
    - WinSock2 possible
    - Allows pure native windows
    subsystem code to execute :)
    - OSI layer 3 and above available
    - No spoofing of the network stack
    Network Capture Options
    KernelMode
    Kernel space allows for complete control
    over the Network Stack and NIC. Elevated
    context and signed driver is needed.
    - Allows for NDIS integration of
    protocol drivers (NPF)
    - Full packet capture
    - Full packet injection
    - Network Monitoring
    

    View Slide

23. Native PCAP Capture in C++!
    Reflective DLL
    ❏ Main entry point
    ❏ Entire project is
    weaponized in a
    reflective DLL (RDI)
    ❏ Cobalt Strike!
    ❏ WinSock2 - allows for
    native capture
    ❏ Set up required API calls
    IPC Thread
    ❏ RDI in remote process
    has no communication
    with caller!
    ❏ Named pipe thread
    implemented for control
    ❏ Sets poison pill for
    control
    ❏ Write custom pcap
    header struct to disk
    Receive Filter
    ❏ Parse packet Ip, and
    protocol headers
    ❏ Filter on packet count, ip,
    port, and file size
    ❏ Parse and write to stdout
    ❏ Build PCAP packet struct
    and write to file
    Write Packet
    Build PCAP
    Start Capture
    

    View Slide

24. Winsock2 Native Sniffer
    

    View Slide

25. IPC with the capture (Language agnostic)
    C++ Named Pipe Server PowerShell Named Pipe client
    

    View Slide

26. Build PCAP Headers
    PCAP File Header
    PCAP Packet Header
    

    View Slide

27. Finally Weaponize with Stephen Fewer ReflectiveDLL Injection!
    Why?
    ◈ Stealthy:
    - Loaded Library will not register list of
    loaded modules in PEB
    - Enumeration of process modules will also
    not yield in exposure
    - Entirely in memory execution
    ◈ Modular Design:
    - Allows for dynamic expansion of agent if
    developer builds IPC standard
    - DLL patching for second stage payloads
    - Agent would only need stub loader
    RDI Process Injection:
    1. Obtain byte array of DLL
    2. Get handle on target proc and allocate memory
    3. RWX target memory
    4. Copy over DLL to target allocated memory
    5. Calculate memory offset for the DLL export
    6. Create remote thread with known offset to
    entry point
    7. Reflective Loader function locates needed
    libraries (kernal32.dll)
    8. Locate memory addresses of API calls needed to
    load itself
    9. Finally once loaded into memory, call
    DLLMain()!
    https://github.com/stephenfewer | http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
    

    View Slide

28. Quick Demo!
    

    View Slide

29. Loading signed drivers at runtime and
    In a stealthy manner
    Hot Loading Drivers
    

    View Slide

30. APT Driver Loading
    Critical Design
    Duqu required driver
    execution within a few
    modules. This could
    dramatically help testers:
    - The nature of Duqu’s
    mission would need this
    capability
    - This capability is not often
    needed on Pen Test / Red
    Team
    Stealthy
    Standard driver loading
    often entails a service
    creation with reboot. Hot
    loading a driver can be done
    two ways:
    - Kernel Driver Service
    Creation
    - NtLoadDriver()
    undocumented
    functionality
    Unsigned Drivers
    The ability to load custom
    drivers relies on signed
    drivers. This however can be
    bypassed:
    - Using exploitable drivers to
    gain kernel code execution
    - ProjectSauron used this for
    Network Packet Filtering &
    modification driver
    

    View Slide

31. What was the driver to build this TTP?
    ◈ The process to start WinPcap dynamically - we will be using
    NPF as the scenario
    ◈ Ability to perform full packet capture!
    ◈ Because direct threat replication is cool
    

    View Slide

32. SC Driver Loading
    Using the service controller manager we
    can start and stop kernel driver services.
    This is easy on the scale but allows for a
    larger footprint forensically.
    - Easy to implement
    - Dirty artifacts: Service Creation,
    Service Deletion, Driver Load event
    - Requires Driver Path and Name
    Loading Driver Options (We will cover both)
    NtLoadDriver() Loading
    Using the undocumented function
    NtLoadDriver() stealthy driver loading is
    possible.
    - Allows for NDIS integration of
    protocol drivers (NPF)
    - Full packet capture
    - Full packet injection
    - Network Monitoring
    

    View Slide

33. SC Driver Loading in C++!
    Reflective DLL
    ❏ Main entry point
    ❏ Entire project is
    weaponized in a
    reflective DLL (RDI)
    ❏ CobaltStrike!
    ❏ Base64 decode driver and
    DLL’s
    ❏ Write DLL’s and driver to
    required locations
    Open SC Manager
    ❏ SC Handle creation
    ❏ Start Kernel Driver
    Service
    ❏ Remove service used to
    load driver
    Start Required
    Application
    ❏ Run User Mode code /
    application
    ❏ All required DLL’s are
    loaded via LoadLibary etc.
    ❏ Driver is in Kernel space
    ❏ Safe to remove files
    Clean Up
    Service Deletion
    Decode and Write
    

    View Slide

34. WinPcap Internals Overview
    

    View Slide

35. Loading WinPcap DLL Matrix
    Operating System Packet.dll wpcap.dll
    Windows XP x86
    Windows 7 x86 Packet 2.dll wpcap.dll
    Windows 7 x64
    Windows 10 x86 Packet 2.dll wpcap.dll
    Windows 10 x64 Packet 3.dll wpcap 2.dll
    Extracted WinPcap package
    

    View Slide

36. SC Driver Service
    

    View Slide

37. RDI SC Driver Demo!
    

    View Slide

38. NtDriverLoad Loading in C++!
    Reflective DLL
    ❏ Main entry point
    ❏ Entire project is
    weaponized in a
    reflective DLL (RDI)
    ❏ CobaltStrike!
    ❏ Enable privileges for
    current process
    ❏ SeLoadDriverPrivlage
    Write Registry Keys
    ❏ NtLoadDriver requires a
    registry location
    ❏ Write three required for
    API
    ❏ Retrieve NTDLL.dll
    location
    ❏ Retrieve Process location
    of undocumented call
    NtLoadDriver()
    ❏ Convert path to unicode
    ❏ Call Undocumented API
    call
    ❏ Pass registry path
    ❏ Call NtUnloadDriver on
    the registry path
    ❏ Clean up after all calls
    are done etc
    NtUnloadDriver
    Load NTDLL.dll
    Enable Privileges
    

    View Slide

39. View Slide

40. RDI NtDriverLoad Demo!
    

    View Slide

41. APT
    29
    Long Term | Survivability | Fast Paced
    3
    

    View Slide

42. What makes APT 29 Special?
    WMI
    ◈ Heavy reliance on WMI
    ◈ Custom WMI class creation
    ◈ Heavy use of PowerShell
    Persistence
    ◈ Not Agent persistence but
    the level of activity
    ◈ Extremely well equipped
    Agent Deployment
    The ability to use multiple agents
    with multiple IOC’s
    ◈ Using a main agent vs
    backup agent
    ◈ Think C2 initial setup
    Known
    Lots of great research on the net!
    Talks from mandiant and
    ◈ Defcon talks like “WhyMI so
    Sexy?” Matt Graber
    ◈ Nick Carr, Matt Dunwoody,
    DJ Palombo, and Alec
    Randazzo Mandiant Talk
    

    View Slide

43. A Custom RDI Agent
    POC Long Term Agent
    

    View Slide

44. Agent Capability
    Core Agent (Modular):
    - Pure C++ Agent
    - In memory logging outlet
    - Standard Calls (Sleep/Jitter etc..)
    - VM Detection (WMI Profiling)
    - AV Detection (Driver Query Based)
    - Process Listing (API / WMI Methods)
    - Shell Commands (cmd.exe)
    - Shell Code Injection (Process Injection)
    - Token Manipulation (Make Token/Rev)
    - RunAs
    - WinAES (Windows Crypto Providers)
    - WMI Monitoring:
    - Service Creation
    - Process Creation
    - Driver Creation
    

    View Slide

45. WMI Event Monitoring
    Why should I care?
    ◈ HUNT / IR is doing it to catch you,
    why can't we use it to catch them?
    ⬥ HIPS, UpRoot
    ◈ Think about how you capture
    memory from a compromised
    machine!
    ⬥ USB with Memorize in
    userland...
    ◈ The ability to make operator
    decision agent side in time sensitive
    situations
    ⬥ The ability to cleanly exit an
    agent or just sleep
    What should we monitor:
    ◈ Process Creation:
    ⬥ IR Toolset
    ⬥ Common RE / Memory
    Capture
    ⬥ Environmental Change
    (HUNT?)
    ◈ Service Creation:
    ⬥ New software ex (cylance
    service creation)
    ◈ Driver Install:
    ⬥ Often complete memory
    capture requires signed driver
    ⬥ NPF.sys, mktools.sys etc..
    

    View Slide

46. WMI Process Monitoring Within Agent
    

    View Slide

47. Rule Creation (Dynamic Vector) Rule Trigger Handler
    

    View Slide

48. Process Creation Ex.
    

    View Slide

49. Service Creation Ex.
    

    View Slide

50. Ex. Rule Triggered
    

    View Slide

51. WMI Event Within Demo!
    

    View Slide

52. Conclusion
    Code Takeaways:
    ◈ All of these techniques are talked
    about documented and mentioned.
    ⬥ Nothing 100% novel
    ◈ Finding the documentation is near
    nonexistent
    ⬥ Finding code that compiled..
    ◈ Hopefuly the mass amount of PS,
    C++ code examples are helpful!
    ⬥ All written in VS 2015 with
    project files :)
    Key Takeaways:
    ◈ The attempt to try some of these
    techniques (TTP’s)
    ⬥ Driver loading not often but
    really cool!
    ◈ The knowledge gained on low level
    Windows operations
    ⬥ Very key for operators
    debugging toolsets
    

    View Slide

53. https://github.com/killswitch-GUI/Domain-WIFILocate
    Geo Wifi Keys
    https://github.com/killswitch-GUI/Persistence-Survivability
    Persistence Survivability Rating
    https://github.com/killswitch-GUI/Winsock-PCAP
    Winsock2 PCAP Capture
    https://github.com/killswitch-GUI/HotLoad-LoadDriver/
    ScLoadDriver / WinPcap / NtLoadDriver
    https://github.com/killswitch-GUI/DeepFreeze-Agent
    POC IR Aware Agent
    

    View Slide

54. Any questions?
    You can find me at:
    @Killswitch-GUI · CyberSyndicates.com
    

    View Slide