Slide 1

Slide 1 text

RAT “Repurposing Adversarial Tradecraft”

Slide 2

Slide 2 text

Overview Introduction of topic ◈ Who am I ◈ Where I come from ◈ Topic Intro ⬥ What is RAT ◈ What i’m trying to accomplish Adversarial Tradecraft ◈ Tactics, Techniques and Procedures (TTP’s) ◈ Tools that can be integrated Adversaries Covered ◈ Duqu ◈ Hacking Team ◈ APT 29 ◈ ProjectSauron

Slide 3

Slide 3 text

Who am I? I am Alexander Rymdeko-Harvey I am Pentester / Red Teamer, Previous US ARMY enlisted and have worked on the following: SimplyEmail, SimplyTemplate, EmPyre/Empire You can find me at @Killswitch-GUI

Slide 4

Slide 4 text

Some Background on the tools developed: ◈ Strong background in Python and common tradecraft ◈ Six months ago I had barely any C++ skill set when it came to development ◈ Tools developed are POC and are weaponized for specific use cases with multiple languages (Python, Powershell, C++) ◈ All are open source and can be found at Github.com/Killswitch-GUI ◈ I don't know if I will maintain or expand weaponization Major shout out to the entire team for the help and aid developing these , especially: Matt Graber | Justin Warner | Chris Ross | Lee Christian | Matt Nelson | Rohan Vazarkar | Keelyn Roberts

Slide 5

Slide 5 text

Topic Intro Let’s start with the first set of slides 1

Slide 6

Slide 6 text

What is RAT? Repurposing adversarial tradecraft stems from the traditional sense of warfare and evolving your force to meet a threat. - Justin Warner has a great 3 part series on the Red Team. https://www.sixdub.net/?p=705 What is this all about? Why so important? - Pushes the community forward - Educate yourself and the client of the newest attack vector

Slide 7

Slide 7 text

“ Red teamers often differentiate themselves from pentesters in that they “emulate adversaries” yet how often do we hear them talk about actual adversarial TTP’s based off real world threat intel?

Slide 8

Slide 8 text

What I’m trying to accomplish Taking the time to analyze reports: ◈ The need for threat replication ◈ Helps produce capabilities ◈ Advance the team's capability Find some of this code that actually compiles … Every tester should understand what the actions they are doing in the background

Slide 9

Slide 9 text

Duqu 2.0 Stealth | Precision | Leverage 2

Slide 10

Slide 10 text

What makes Duqu Special? WMI Data Collection ◈ Enumerate process info ◈ Remote registry collection* ◈ Extract user info / files Driver Management ◈ Start / Stop Drivers ◈ Load Drivers ◈ Write Drivers to disk Situational Awareness A unique set of tools that allowed data collection and provided awareness to operators. ◈ Detects running sniffers Network Leverage A slew of network based attacks and collection methods. ◈ PCAP* ◈ NetBIOS ◈ WPAD Persistence Unique persistence or lack of persistence for such an aggressive threat. ◈ TTP’s and confidence ◈ Rarely implanted mechanism AD Query ADSI query and GC enumeration, think PowerView! This allows for all that PostEx fun.

Slide 11

Slide 11 text

Hacking Team hackers talk about their Tradecraft and methodology Persistence

Slide 12

Slide 12 text

Duqu style persistence In Memory Duqu reports indicate that the malware lived exclusively in memory. - This is a common practice as operators today - We do however need to plant persistence on long term operations Location Based Reports indicate that agent implant location was a large factor. - This dictated the survivability of agent - Picked high uptime server / Data centers* HIPS Avoidance Stealth is an obvious concern, staying off disk and avoiding potential HIPS. - Dropping to disk poses a risk to be caught by heuristics etc.

Slide 13

Slide 13 text

What was the driver to build this TTP? ◈ On a few long term engagements that required persistence and ability to OP (30+ Days) ◈ Need the ability to maintain constant C2 for backup ◈ This tool came in handy on more than one occasion and allowed for success

Slide 14

Slide 14 text

Questions you need to ask yourself on a OP?

Slide 15

Slide 15 text

Building Survivability Rating! Invoke-FindPersistence ❏ Main entry point ❏ PowerView! ❏ Enumerates target domain ❏ Filters: OS, Service Pack, SPN, ADSPath, Filter, ComputerName Invoke-Ping/Test-Wmi ❏ Feed computer object into Ping ❏ Feed up object into Test-Wmi to check for RPC ❏ WMI objects are full of properties (Pass Win32_OperatingSystem ) Calculate Values ❏ Calculate Value from 0-100 ❏ This is dependent on type of property ❏ Calculate weighted average to percent ❏ Calculate Persistence Survivability Rating Build Statistics ❏ Calculate Mean PSR ❏ Calculate Standard Deviation of PSR ❏ Variance Id’s hot spots! Calculate Weight Obtain WMI Get-NetComputer

Slide 16

Slide 16 text

Running the script.. ◈ Threads - Allowed for extremely fast WMI tests and data collection ◈ PowerView Get-NetComputer as the searcher: - Allows for very granular host selection ADSPath, Filter and OS ◈ Tips: - Find a custom “OU” for servers | PS> Get-NetOU -OUName *server* - Set -MaxHosts to a reasonable query size - Set -OperatingSystem to server versions

Slide 17

Slide 17 text

Persistence Survivability Rating Query Weighted Value Implemented Boot Time Get-WmiBootTime 40% Yes Install date Get-InstallDate 5% Yes OS Level Get-WmiOS 5% Yes System Enclosure Get-WmiSystemEnclosur e 10% Yes Architecture Get-WmiArch 5% Yes Disk Size Get-WmiDisk 5% Yes Processor Count Get-WmiProcessorCount 5% Yes Processor Cores Get-WmiProcessorCores 5% Yes Processor Speed Get-WmiProcessorSpeed 5% Yes Process Count Get-WmiProcessCount 5% Yes Persistence Checks Query Impact Implemente d VM Checks Truth of data Yes WMI Event Logging No Portable OS Implant Location Yes

Slide 18

Slide 18 text

Calculating the Mean → Calculate the Standard Deviation → Calculate Variance

Slide 19

Slide 19 text

Quick Demo!

Slide 20

Slide 20 text

Why 0day when you don't use SMB signing? Network Leverage

Slide 21

Slide 21 text

Duqu style network collection Modular Build Duqu reports indicate that the malware was modular in nature. - Common in malware and allows a custom build of agent - Reduces operational risk - This dynamic execution is emulated via reflective DLL’s Sniffer Duqu used legitimate WinPcap (npf.sys) driver for sniffing! - Full network stack capture - Ability to spoof and alter network stack Network Attacks Although Duqu had plenty of offensive capability, common network attacks integrated? - Allowed for NetBIOS / WPAD Attacks - Why use 0day or burn TTP’s if WPAD attack works? - Beyond AD in cases where separate network segments exists

Slide 22

Slide 22 text

UserMode Within usermode options are very limited. Elevated context is required and limited capture available. - WinSock2 possible - Allows pure native windows subsystem code to execute :) - OSI layer 3 and above available - No spoofing of the network stack Network Capture Options KernelMode Kernel space allows for complete control over the Network Stack and NIC. Elevated context and signed driver is needed. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring

Slide 23

Slide 23 text

Native PCAP Capture in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ Cobalt Strike! ❏ WinSock2 - allows for native capture ❏ Set up required API calls IPC Thread ❏ RDI in remote process has no communication with caller! ❏ Named pipe thread implemented for control ❏ Sets poison pill for control ❏ Write custom pcap header struct to disk Receive Filter ❏ Parse packet Ip, and protocol headers ❏ Filter on packet count, ip, port, and file size ❏ Parse and write to stdout ❏ Build PCAP packet struct and write to file Write Packet Build PCAP Start Capture

Slide 24

Slide 24 text

Winsock2 Native Sniffer

Slide 25

Slide 25 text

IPC with the capture (Language agnostic) C++ Named Pipe Server PowerShell Named Pipe client

Slide 26

Slide 26 text

Build PCAP Headers PCAP File Header PCAP Packet Header

Slide 27

Slide 27 text

Finally Weaponize with Stephen Fewer ReflectiveDLL Injection! Why? ◈ Stealthy: - Loaded Library will not register list of loaded modules in PEB - Enumeration of process modules will also not yield in exposure - Entirely in memory execution ◈ Modular Design: - Allows for dynamic expansion of agent if developer builds IPC standard - DLL patching for second stage payloads - Agent would only need stub loader RDI Process Injection: 1. Obtain byte array of DLL 2. Get handle on target proc and allocate memory 3. RWX target memory 4. Copy over DLL to target allocated memory 5. Calculate memory offset for the DLL export 6. Create remote thread with known offset to entry point 7. Reflective Loader function locates needed libraries (kernal32.dll) 8. Locate memory addresses of API calls needed to load itself 9. Finally once loaded into memory, call DLLMain()! https://github.com/stephenfewer | http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf

Slide 28

Slide 28 text

Quick Demo!

Slide 29

Slide 29 text

Loading signed drivers at runtime and In a stealthy manner Hot Loading Drivers

Slide 30

Slide 30 text

APT Driver Loading Critical Design Duqu required driver execution within a few modules. This could dramatically help testers: - The nature of Duqu’s mission would need this capability - This capability is not often needed on Pen Test / Red Team Stealthy Standard driver loading often entails a service creation with reboot. Hot loading a driver can be done two ways: - Kernel Driver Service Creation - NtLoadDriver() undocumented functionality Unsigned Drivers The ability to load custom drivers relies on signed drivers. This however can be bypassed: - Using exploitable drivers to gain kernel code execution - ProjectSauron used this for Network Packet Filtering & modification driver

Slide 31

Slide 31 text

What was the driver to build this TTP? ◈ The process to start WinPcap dynamically - we will be using NPF as the scenario ◈ Ability to perform full packet capture! ◈ Because direct threat replication is cool

Slide 32

Slide 32 text

SC Driver Loading Using the service controller manager we can start and stop kernel driver services. This is easy on the scale but allows for a larger footprint forensically. - Easy to implement - Dirty artifacts: Service Creation, Service Deletion, Driver Load event - Requires Driver Path and Name Loading Driver Options (We will cover both) NtLoadDriver() Loading Using the undocumented function NtLoadDriver() stealthy driver loading is possible. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring

Slide 33

Slide 33 text

SC Driver Loading in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Base64 decode driver and DLL’s ❏ Write DLL’s and driver to required locations Open SC Manager ❏ SC Handle creation ❏ Start Kernel Driver Service ❏ Remove service used to load driver Start Required Application ❏ Run User Mode code / application ❏ All required DLL’s are loaded via LoadLibary etc. ❏ Driver is in Kernel space ❏ Safe to remove files Clean Up Service Deletion Decode and Write

Slide 34

Slide 34 text

WinPcap Internals Overview

Slide 35

Slide 35 text

Loading WinPcap DLL Matrix Operating System Packet.dll wpcap.dll Windows XP x86 Windows 7 x86 Packet 2.dll wpcap.dll Windows 7 x64 Windows 10 x86 Packet 2.dll wpcap.dll Windows 10 x64 Packet 3.dll wpcap 2.dll Extracted WinPcap package

Slide 36

Slide 36 text

SC Driver Service

Slide 37

Slide 37 text

RDI SC Driver Demo!

Slide 38

Slide 38 text

NtDriverLoad Loading in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Enable privileges for current process ❏ SeLoadDriverPrivlage Write Registry Keys ❏ NtLoadDriver requires a registry location ❏ Write three required for API ❏ Retrieve NTDLL.dll location ❏ Retrieve Process location of undocumented call NtLoadDriver() ❏ Convert path to unicode ❏ Call Undocumented API call ❏ Pass registry path ❏ Call NtUnloadDriver on the registry path ❏ Clean up after all calls are done etc NtUnloadDriver Load NTDLL.dll Enable Privileges

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

RDI NtDriverLoad Demo!

Slide 41

Slide 41 text

APT 29 Long Term | Survivability | Fast Paced 3

Slide 42

Slide 42 text

What makes APT 29 Special? WMI ◈ Heavy reliance on WMI ◈ Custom WMI class creation ◈ Heavy use of PowerShell Persistence ◈ Not Agent persistence but the level of activity ◈ Extremely well equipped Agent Deployment The ability to use multiple agents with multiple IOC’s ◈ Using a main agent vs backup agent ◈ Think C2 initial setup Known Lots of great research on the net! Talks from mandiant and ◈ Defcon talks like “WhyMI so Sexy?” Matt Graber ◈ Nick Carr, Matt Dunwoody, DJ Palombo, and Alec Randazzo Mandiant Talk

Slide 43

Slide 43 text

A Custom RDI Agent POC Long Term Agent

Slide 44

Slide 44 text

Agent Capability Core Agent (Modular): - Pure C++ Agent - In memory logging outlet - Standard Calls (Sleep/Jitter etc..) - VM Detection (WMI Profiling) - AV Detection (Driver Query Based) - Process Listing (API / WMI Methods) - Shell Commands (cmd.exe) - Shell Code Injection (Process Injection) - Token Manipulation (Make Token/Rev) - RunAs - WinAES (Windows Crypto Providers) - WMI Monitoring: - Service Creation - Process Creation - Driver Creation

Slide 45

Slide 45 text

WMI Event Monitoring Why should I care? ◈ HUNT / IR is doing it to catch you, why can't we use it to catch them? ⬥ HIPS, UpRoot ◈ Think about how you capture memory from a compromised machine! ⬥ USB with Memorize in userland... ◈ The ability to make operator decision agent side in time sensitive situations ⬥ The ability to cleanly exit an agent or just sleep What should we monitor: ◈ Process Creation: ⬥ IR Toolset ⬥ Common RE / Memory Capture ⬥ Environmental Change (HUNT?) ◈ Service Creation: ⬥ New software ex (cylance service creation) ◈ Driver Install: ⬥ Often complete memory capture requires signed driver ⬥ NPF.sys, mktools.sys etc..

Slide 46

Slide 46 text

WMI Process Monitoring Within Agent

Slide 47

Slide 47 text

Rule Creation (Dynamic Vector) Rule Trigger Handler

Slide 48

Slide 48 text

Process Creation Ex.

Slide 49

Slide 49 text

Service Creation Ex.

Slide 50

Slide 50 text

Ex. Rule Triggered

Slide 51

Slide 51 text

WMI Event Within Demo!

Slide 52

Slide 52 text

Conclusion Code Takeaways: ◈ All of these techniques are talked about documented and mentioned. ⬥ Nothing 100% novel ◈ Finding the documentation is near nonexistent ⬥ Finding code that compiled.. ◈ Hopefuly the mass amount of PS, C++ code examples are helpful! ⬥ All written in VS 2015 with project files :) Key Takeaways: ◈ The attempt to try some of these techniques (TTP’s) ⬥ Driver loading not often but really cool! ◈ The knowledge gained on low level Windows operations ⬥ Very key for operators debugging toolsets

Slide 53

Slide 53 text

https://github.com/killswitch-GUI/Domain-WIFILocate Geo Wifi Keys https://github.com/killswitch-GUI/Persistence-Survivability Persistence Survivability Rating https://github.com/killswitch-GUI/Winsock-PCAP Winsock2 PCAP Capture https://github.com/killswitch-GUI/HotLoad-LoadDriver/ ScLoadDriver / WinPcap / NtLoadDriver https://github.com/killswitch-GUI/DeepFreeze-Agent POC IR Aware Agent

Slide 54

Slide 54 text

Any questions? You can find me at: @Killswitch-GUI · CyberSyndicates.com