RAT - Repurposing Adversarial Tradecraft

RAT - Repurposing Adversarial Tradecraft

Today’s threat surface is defined by the actors that develop and employ advanced adversarial techniques. These techniques directly affect how red team and pen test engagements are conducted to an extent. This talk will dive into mechanics and tool development of these TTPs (Tactics, Techniques and Procedures). Using multiple languages I will cover a few implementations I have developed directly to help aid engagements, as well as how we can relate them to practical red team engagement scenarios to help deliver effective tests to our customers. We will also cover the tradecraft that can be gleaned from these actors, and how we can implement this into how we operate as red teams and testers.



May 21, 2017


  1. RAT “Repurposing Adversarial Tradecraft”

  2. Overview Introduction of topic ◈ Who am I ◈ Where

    I come from ◈ Topic Intro ⬥ What is RAT ◈ What i’m trying to accomplish Adversarial Tradecraft ◈ Tactics, Techniques and Procedures (TTP’s) ◈ Tools that can be integrated Adversaries Covered ◈ Duqu ◈ Hacking Team ◈ APT 29 ◈ ProjectSauron
  3. Who am I? I am Alexander Rymdeko-Harvey I am Pentester

    / Red Teamer, Previous US ARMY enlisted and have worked on the following: SimplyEmail, SimplyTemplate, EmPyre/Empire You can find me at @Killswitch-GUI
  4. Some Background on the tools developed: ◈ Strong background in

    Python and common tradecraft ◈ Six months ago I had barely any C++ skill set when it came to development ◈ Tools developed are POC and are weaponized for specific use cases with multiple languages (Python, Powershell, C++) ◈ All are open source and can be found at Github.com/Killswitch-GUI ◈ I don't know if I will maintain or expand weaponization Major shout out to the entire team for the help and aid developing these , especially: Matt Graber | Justin Warner | Chris Ross | Lee Christian | Matt Nelson | Rohan Vazarkar | Keelyn Roberts
  5. Topic Intro Let’s start with the first set of slides

  6. What is RAT? Repurposing adversarial tradecraft stems from the traditional

    sense of warfare and evolving your force to meet a threat. - Justin Warner has a great 3 part series on the Red Team. https://www.sixdub.net/?p=705 What is this all about? Why so important? - Pushes the community forward - Educate yourself and the client of the newest attack vector
  7. “ Red teamers often differentiate themselves from pentesters in that

    they “emulate adversaries” yet how often do we hear them talk about actual adversarial TTP’s based off real world threat intel?
  8. What I’m trying to accomplish Taking the time to analyze

    reports: ◈ The need for threat replication ◈ Helps produce capabilities ◈ Advance the team's capability Find some of this code that actually compiles … Every tester should understand what the actions they are doing in the background
  9. Duqu 2.0 Stealth | Precision | Leverage 2

  10. What makes Duqu Special? WMI Data Collection ◈ Enumerate process

    info ◈ Remote registry collection* ◈ Extract user info / files Driver Management ◈ Start / Stop Drivers ◈ Load Drivers ◈ Write Drivers to disk Situational Awareness A unique set of tools that allowed data collection and provided awareness to operators. ◈ Detects running sniffers Network Leverage A slew of network based attacks and collection methods. ◈ PCAP* ◈ NetBIOS ◈ WPAD Persistence Unique persistence or lack of persistence for such an aggressive threat. ◈ TTP’s and confidence ◈ Rarely implanted mechanism AD Query ADSI query and GC enumeration, think PowerView! This allows for all that PostEx fun.
  11. Hacking Team hackers talk about their Tradecraft and methodology Persistence

  12. Duqu style persistence In Memory Duqu reports indicate that the

    malware lived exclusively in memory. - This is a common practice as operators today - We do however need to plant persistence on long term operations Location Based Reports indicate that agent implant location was a large factor. - This dictated the survivability of agent - Picked high uptime server / Data centers* HIPS Avoidance Stealth is an obvious concern, staying off disk and avoiding potential HIPS. - Dropping to disk poses a risk to be caught by heuristics etc.
  13. What was the driver to build this TTP? ◈ On

    a few long term engagements that required persistence and ability to OP (30+ Days) ◈ Need the ability to maintain constant C2 for backup ◈ This tool came in handy on more than one occasion and allowed for success
  14. Questions you need to ask yourself on a OP?

  15. Building Survivability Rating! Invoke-FindPersistence ❏ Main entry point ❏ PowerView!

    ❏ Enumerates target domain ❏ Filters: OS, Service Pack, SPN, ADSPath, Filter, ComputerName Invoke-Ping/Test-Wmi ❏ Feed computer object into Ping ❏ Feed up object into Test-Wmi to check for RPC ❏ WMI objects are full of properties (Pass Win32_OperatingSystem ) Calculate Values ❏ Calculate Value from 0-100 ❏ This is dependent on type of property ❏ Calculate weighted average to percent ❏ Calculate Persistence Survivability Rating Build Statistics ❏ Calculate Mean PSR ❏ Calculate Standard Deviation of PSR ❏ Variance Id’s hot spots! Calculate Weight Obtain WMI Get-NetComputer
  16. Running the script.. ◈ Threads - Allowed for extremely fast

    WMI tests and data collection ◈ PowerView Get-NetComputer as the searcher: - Allows for very granular host selection ADSPath, Filter and OS ◈ Tips: - Find a custom “OU” for servers | PS> Get-NetOU -OUName *server* - Set -MaxHosts to a reasonable query size - Set -OperatingSystem to server versions
  17. Persistence Survivability Rating Query Weighted Value Implemented Boot Time Get-WmiBootTime

    40% Yes Install date Get-InstallDate 5% Yes OS Level Get-WmiOS 5% Yes System Enclosure Get-WmiSystemEnclosur e 10% Yes Architecture Get-WmiArch 5% Yes Disk Size Get-WmiDisk 5% Yes Processor Count Get-WmiProcessorCount 5% Yes Processor Cores Get-WmiProcessorCores 5% Yes Processor Speed Get-WmiProcessorSpeed 5% Yes Process Count Get-WmiProcessCount 5% Yes Persistence Checks Query Impact Implemente d VM Checks Truth of data Yes WMI Event Logging No Portable OS Implant Location Yes
  18. Calculating the Mean → Calculate the Standard Deviation → Calculate

  19. Quick Demo!

  20. Why 0day when you don't use SMB signing? Network Leverage

  21. Duqu style network collection Modular Build Duqu reports indicate that

    the malware was modular in nature. - Common in malware and allows a custom build of agent - Reduces operational risk - This dynamic execution is emulated via reflective DLL’s Sniffer Duqu used legitimate WinPcap (npf.sys) driver for sniffing! - Full network stack capture - Ability to spoof and alter network stack Network Attacks Although Duqu had plenty of offensive capability, common network attacks integrated? - Allowed for NetBIOS / WPAD Attacks - Why use 0day or burn TTP’s if WPAD attack works? - Beyond AD in cases where separate network segments exists
  22. UserMode Within usermode options are very limited. Elevated context is

    required and limited capture available. - WinSock2 possible - Allows pure native windows subsystem code to execute :) - OSI layer 3 and above available - No spoofing of the network stack Network Capture Options KernelMode Kernel space allows for complete control over the Network Stack and NIC. Elevated context and signed driver is needed. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring
  23. Native PCAP Capture in C++! Reflective DLL ❏ Main entry

    point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ Cobalt Strike! ❏ WinSock2 - allows for native capture ❏ Set up required API calls IPC Thread ❏ RDI in remote process has no communication with caller! ❏ Named pipe thread implemented for control ❏ Sets poison pill for control ❏ Write custom pcap header struct to disk Receive Filter ❏ Parse packet Ip, and protocol headers ❏ Filter on packet count, ip, port, and file size ❏ Parse and write to stdout ❏ Build PCAP packet struct and write to file Write Packet Build PCAP Start Capture
  24. Winsock2 Native Sniffer

  25. IPC with the capture (Language agnostic) C++ Named Pipe Server

    PowerShell Named Pipe client
  26. Build PCAP Headers PCAP File Header PCAP Packet Header

  27. Finally Weaponize with Stephen Fewer ReflectiveDLL Injection! Why? ◈ Stealthy:

    - Loaded Library will not register list of loaded modules in PEB - Enumeration of process modules will also not yield in exposure - Entirely in memory execution ◈ Modular Design: - Allows for dynamic expansion of agent if developer builds IPC standard - DLL patching for second stage payloads - Agent would only need stub loader RDI Process Injection: 1. Obtain byte array of DLL 2. Get handle on target proc and allocate memory 3. RWX target memory 4. Copy over DLL to target allocated memory 5. Calculate memory offset for the DLL export 6. Create remote thread with known offset to entry point 7. Reflective Loader function locates needed libraries (kernal32.dll) 8. Locate memory addresses of API calls needed to load itself 9. Finally once loaded into memory, call DLLMain()! https://github.com/stephenfewer | http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
  28. Quick Demo!

  29. Loading signed drivers at runtime and In a stealthy manner

    Hot Loading Drivers
  30. APT Driver Loading Critical Design Duqu required driver execution within

    a few modules. This could dramatically help testers: - The nature of Duqu’s mission would need this capability - This capability is not often needed on Pen Test / Red Team Stealthy Standard driver loading often entails a service creation with reboot. Hot loading a driver can be done two ways: - Kernel Driver Service Creation - NtLoadDriver() undocumented functionality Unsigned Drivers The ability to load custom drivers relies on signed drivers. This however can be bypassed: - Using exploitable drivers to gain kernel code execution - ProjectSauron used this for Network Packet Filtering & modification driver
  31. What was the driver to build this TTP? ◈ The

    process to start WinPcap dynamically - we will be using NPF as the scenario ◈ Ability to perform full packet capture! ◈ Because direct threat replication is cool
  32. SC Driver Loading Using the service controller manager we can

    start and stop kernel driver services. This is easy on the scale but allows for a larger footprint forensically. - Easy to implement - Dirty artifacts: Service Creation, Service Deletion, Driver Load event - Requires Driver Path and Name Loading Driver Options (We will cover both) NtLoadDriver() Loading Using the undocumented function NtLoadDriver() stealthy driver loading is possible. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring
  33. SC Driver Loading in C++! Reflective DLL ❏ Main entry

    point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Base64 decode driver and DLL’s ❏ Write DLL’s and driver to required locations Open SC Manager ❏ SC Handle creation ❏ Start Kernel Driver Service ❏ Remove service used to load driver Start Required Application ❏ Run User Mode code / application ❏ All required DLL’s are loaded via LoadLibary etc. ❏ Driver is in Kernel space ❏ Safe to remove files Clean Up Service Deletion Decode and Write
  34. WinPcap Internals Overview

  35. Loading WinPcap DLL Matrix Operating System Packet.dll wpcap.dll Windows XP

    x86 Windows 7 x86 Packet 2.dll wpcap.dll Windows 7 x64 Windows 10 x86 Packet 2.dll wpcap.dll Windows 10 x64 Packet 3.dll wpcap 2.dll Extracted WinPcap package
  36. SC Driver Service

  37. RDI SC Driver Demo!

  38. NtDriverLoad Loading in C++! Reflective DLL ❏ Main entry point

    ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Enable privileges for current process ❏ SeLoadDriverPrivlage Write Registry Keys ❏ NtLoadDriver requires a registry location ❏ Write three required for API ❏ Retrieve NTDLL.dll location ❏ Retrieve Process location of undocumented call NtLoadDriver() ❏ Convert path to unicode ❏ Call Undocumented API call ❏ Pass registry path ❏ Call NtUnloadDriver on the registry path ❏ Clean up after all calls are done etc NtUnloadDriver Load NTDLL.dll Enable Privileges
  39. None
  40. RDI NtDriverLoad Demo!

  41. APT 29 Long Term | Survivability | Fast Paced 3

  42. What makes APT 29 Special? WMI ◈ Heavy reliance on

    WMI ◈ Custom WMI class creation ◈ Heavy use of PowerShell Persistence ◈ Not Agent persistence but the level of activity ◈ Extremely well equipped Agent Deployment The ability to use multiple agents with multiple IOC’s ◈ Using a main agent vs backup agent ◈ Think C2 initial setup Known Lots of great research on the net! Talks from mandiant and ◈ Defcon talks like “WhyMI so Sexy?” Matt Graber ◈ Nick Carr, Matt Dunwoody, DJ Palombo, and Alec Randazzo Mandiant Talk
  43. A Custom RDI Agent POC Long Term Agent

  44. Agent Capability Core Agent (Modular): - Pure C++ Agent -

    In memory logging outlet - Standard Calls (Sleep/Jitter etc..) - VM Detection (WMI Profiling) - AV Detection (Driver Query Based) - Process Listing (API / WMI Methods) - Shell Commands (cmd.exe) - Shell Code Injection (Process Injection) - Token Manipulation (Make Token/Rev) - RunAs - WinAES (Windows Crypto Providers) - WMI Monitoring: - Service Creation - Process Creation - Driver Creation
  45. WMI Event Monitoring Why should I care? ◈ HUNT /

    IR is doing it to catch you, why can't we use it to catch them? ⬥ HIPS, UpRoot ◈ Think about how you capture memory from a compromised machine! ⬥ USB with Memorize in userland... ◈ The ability to make operator decision agent side in time sensitive situations ⬥ The ability to cleanly exit an agent or just sleep What should we monitor: ◈ Process Creation: ⬥ IR Toolset ⬥ Common RE / Memory Capture ⬥ Environmental Change (HUNT?) ◈ Service Creation: ⬥ New software ex (cylance service creation) ◈ Driver Install: ⬥ Often complete memory capture requires signed driver ⬥ NPF.sys, mktools.sys etc..
  46. WMI Process Monitoring Within Agent

  47. Rule Creation (Dynamic Vector) Rule Trigger Handler

  48. Process Creation Ex.

  49. Service Creation Ex.

  50. Ex. Rule Triggered

  51. WMI Event Within Demo!

  52. Conclusion Code Takeaways: ◈ All of these techniques are talked

    about documented and mentioned. ⬥ Nothing 100% novel ◈ Finding the documentation is near nonexistent ⬥ Finding code that compiled.. ◈ Hopefuly the mass amount of PS, C++ code examples are helpful! ⬥ All written in VS 2015 with project files :) Key Takeaways: ◈ The attempt to try some of these techniques (TTP’s) ⬥ Driver loading not often but really cool! ◈ The knowledge gained on low level Windows operations ⬥ Very key for operators debugging toolsets
  53. https://github.com/killswitch-GUI/Domain-WIFILocate Geo Wifi Keys https://github.com/killswitch-GUI/Persistence-Survivability Persistence Survivability Rating https://github.com/killswitch-GUI/Winsock-PCAP Winsock2

    PCAP Capture https://github.com/killswitch-GUI/HotLoad-LoadDriver/ ScLoadDriver / WinPcap / NtLoadDriver https://github.com/killswitch-GUI/DeepFreeze-Agent POC IR Aware Agent
  54. Any questions? You can find me at: @Killswitch-GUI · CyberSyndicates.com