RAT “Repurposing Adversarial Tradecraft”

Overview Introduction of topic ◈ Who am I ◈ Where I come from ◈ Topic Intro ⬥ What is RAT ◈ What i’m trying to accomplish Adversarial Tradecraft ◈ Tactics, Techniques and Procedures (TTP’s) ◈ Tools that can be integrated Adversaries Covered ◈ Duqu ◈ Hacking Team ◈ APT 29 ◈ ProjectSauron

Who am I? I am Alexander Rymdeko-Harvey I am Pentester / Red Teamer, Previous US ARMY enlisted and have worked on the following: SimplyEmail, SimplyTemplate, EmPyre/Empire You can find me at @Killswitch-GUI

Some Background on the tools developed: ◈ Strong background in Python and common tradecraft ◈ Six months ago I had barely any C++ skill set when it came to development ◈ Tools developed are POC and are weaponized for specific use cases with multiple languages (Python, Powershell, C++) ◈ All are open source and can be found at Github.com/Killswitch-GUI ◈ I don't know if I will maintain or expand weaponization Major shout out to the entire team for the help and aid developing these , especially: Matt Graber | Justin Warner | Chris Ross | Lee Christian | Matt Nelson | Rohan Vazarkar | Keelyn Roberts

Topic Intro Let’s start with the first set of slides 1

What is RAT? Repurposing adversarial tradecraft stems from the traditional sense of warfare and evolving your force to meet a threat. - Justin Warner has a great 3 part series on the Red Team. https://www.sixdub.net/?p=705 What is this all about? Why so important? - Pushes the community forward - Educate yourself and the client of the newest attack vector

“ Red teamers often differentiate themselves from pentesters in that they “emulate adversaries” yet how often do we hear them talk about actual adversarial TTP’s based off real world threat intel?

What I’m trying to accomplish Taking the time to analyze reports: ◈ The need for threat replication ◈ Helps produce capabilities ◈ Advance the team's capability Find some of this code that actually compiles … Every tester should understand what the actions they are doing in the background

Duqu 2.0 Stealth | Precision | Leverage 2

What makes Duqu Special? WMI Data Collection ◈ Enumerate process info ◈ Remote registry collection* ◈ Extract user info / files Driver Management ◈ Start / Stop Drivers ◈ Load Drivers ◈ Write Drivers to disk Situational Awareness A unique set of tools that allowed data collection and provided awareness to operators. ◈ Detects running sniffers Network Leverage A slew of network based attacks and collection methods. ◈ PCAP* ◈ NetBIOS ◈ WPAD Persistence Unique persistence or lack of persistence for such an aggressive threat. ◈ TTP’s and confidence ◈ Rarely implanted mechanism AD Query ADSI query and GC enumeration, think PowerView! This allows for all that PostEx fun.

Hacking Team hackers talk about their Tradecraft and methodology Persistence

Duqu style persistence In Memory Duqu reports indicate that the malware lived exclusively in memory. - This is a common practice as operators today - We do however need to plant persistence on long term operations Location Based Reports indicate that agent implant location was a large factor. - This dictated the survivability of agent - Picked high uptime server / Data centers* HIPS Avoidance Stealth is an obvious concern, staying off disk and avoiding potential HIPS. - Dropping to disk poses a risk to be caught by heuristics etc.

What was the driver to build this TTP? ◈ On a few long term engagements that required persistence and ability to OP (30+ Days) ◈ Need the ability to maintain constant C2 for backup ◈ This tool came in handy on more than one occasion and allowed for success

Questions you need to ask yourself on a OP?

Building Survivability Rating! Invoke-FindPersistence ❏ Main entry point ❏ PowerView! ❏ Enumerates target domain ❏ Filters: OS, Service Pack, SPN, ADSPath, Filter, ComputerName Invoke-Ping/Test-Wmi ❏ Feed computer object into Ping ❏ Feed up object into Test-Wmi to check for RPC ❏ WMI objects are full of properties (Pass Win32_OperatingSystem ) Calculate Values ❏ Calculate Value from 0-100 ❏ This is dependent on type of property ❏ Calculate weighted average to percent ❏ Calculate Persistence Survivability Rating Build Statistics ❏ Calculate Mean PSR ❏ Calculate Standard Deviation of PSR ❏ Variance Id’s hot spots! Calculate Weight Obtain WMI Get-NetComputer

Running the script.. ◈ Threads - Allowed for extremely fast WMI tests and data collection ◈ PowerView Get-NetComputer as the searcher: - Allows for very granular host selection ADSPath, Filter and OS ◈ Tips: - Find a custom “OU” for servers | PS> Get-NetOU -OUName *server* - Set -MaxHosts to a reasonable query size - Set -OperatingSystem to server versions

Persistence Survivability Rating Query Weighted Value Implemented Boot Time Get-WmiBootTime 40% Yes Install date Get-InstallDate 5% Yes OS Level Get-WmiOS 5% Yes System Enclosure Get-WmiSystemEnclosur e 10% Yes Architecture Get-WmiArch 5% Yes Disk Size Get-WmiDisk 5% Yes Processor Count Get-WmiProcessorCount 5% Yes Processor Cores Get-WmiProcessorCores 5% Yes Processor Speed Get-WmiProcessorSpeed 5% Yes Process Count Get-WmiProcessCount 5% Yes Persistence Checks Query Impact Implemente d VM Checks Truth of data Yes WMI Event Logging No Portable OS Implant Location Yes

Calculating the Mean → Calculate the Standard Deviation → Calculate Variance

Quick Demo!

Why 0day when you don't use SMB signing? Network Leverage

Duqu style network collection Modular Build Duqu reports indicate that the malware was modular in nature. - Common in malware and allows a custom build of agent - Reduces operational risk - This dynamic execution is emulated via reflective DLL’s Sniffer Duqu used legitimate WinPcap (npf.sys) driver for sniffing! - Full network stack capture - Ability to spoof and alter network stack Network Attacks Although Duqu had plenty of offensive capability, common network attacks integrated? - Allowed for NetBIOS / WPAD Attacks - Why use 0day or burn TTP’s if WPAD attack works? - Beyond AD in cases where separate network segments exists

UserMode Within usermode options are very limited. Elevated context is required and limited capture available. - WinSock2 possible - Allows pure native windows subsystem code to execute :) - OSI layer 3 and above available - No spoofing of the network stack Network Capture Options KernelMode Kernel space allows for complete control over the Network Stack and NIC. Elevated context and signed driver is needed. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring

Native PCAP Capture in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ Cobalt Strike! ❏ WinSock2 - allows for native capture ❏ Set up required API calls IPC Thread ❏ RDI in remote process has no communication with caller! ❏ Named pipe thread implemented for control ❏ Sets poison pill for control ❏ Write custom pcap header struct to disk Receive Filter ❏ Parse packet Ip, and protocol headers ❏ Filter on packet count, ip, port, and file size ❏ Parse and write to stdout ❏ Build PCAP packet struct and write to file Write Packet Build PCAP Start Capture

Winsock2 Native Sniffer

IPC with the capture (Language agnostic) C++ Named Pipe Server PowerShell Named Pipe client

Build PCAP Headers PCAP File Header PCAP Packet Header

Finally Weaponize with Stephen Fewer ReflectiveDLL Injection! Why? ◈ Stealthy: - Loaded Library will not register list of loaded modules in PEB - Enumeration of process modules will also not yield in exposure - Entirely in memory execution ◈ Modular Design: - Allows for dynamic expansion of agent if developer builds IPC standard - DLL patching for second stage payloads - Agent would only need stub loader RDI Process Injection: 1. Obtain byte array of DLL 2. Get handle on target proc and allocate memory 3. RWX target memory 4. Copy over DLL to target allocated memory 5. Calculate memory offset for the DLL export 6. Create remote thread with known offset to entry point 7. Reflective Loader function locates needed libraries (kernal32.dll) 8. Locate memory addresses of API calls needed to load itself 9. Finally once loaded into memory, call DLLMain()! https://github.com/stephenfewer | http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf

Quick Demo!

Loading signed drivers at runtime and In a stealthy manner Hot Loading Drivers

APT Driver Loading Critical Design Duqu required driver execution within a few modules. This could dramatically help testers: - The nature of Duqu’s mission would need this capability - This capability is not often needed on Pen Test / Red Team Stealthy Standard driver loading often entails a service creation with reboot. Hot loading a driver can be done two ways: - Kernel Driver Service Creation - NtLoadDriver() undocumented functionality Unsigned Drivers The ability to load custom drivers relies on signed drivers. This however can be bypassed: - Using exploitable drivers to gain kernel code execution - ProjectSauron used this for Network Packet Filtering & modification driver

What was the driver to build this TTP? ◈ The process to start WinPcap dynamically - we will be using NPF as the scenario ◈ Ability to perform full packet capture! ◈ Because direct threat replication is cool

SC Driver Loading Using the service controller manager we can start and stop kernel driver services. This is easy on the scale but allows for a larger footprint forensically. - Easy to implement - Dirty artifacts: Service Creation, Service Deletion, Driver Load event - Requires Driver Path and Name Loading Driver Options (We will cover both) NtLoadDriver() Loading Using the undocumented function NtLoadDriver() stealthy driver loading is possible. - Allows for NDIS integration of protocol drivers (NPF) - Full packet capture - Full packet injection - Network Monitoring

SC Driver Loading in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Base64 decode driver and DLL’s ❏ Write DLL’s and driver to required locations Open SC Manager ❏ SC Handle creation ❏ Start Kernel Driver Service ❏ Remove service used to load driver Start Required Application ❏ Run User Mode code / application ❏ All required DLL’s are loaded via LoadLibary etc. ❏ Driver is in Kernel space ❏ Safe to remove files Clean Up Service Deletion Decode and Write

WinPcap Internals Overview

Loading WinPcap DLL Matrix Operating System Packet.dll wpcap.dll Windows XP x86 Windows 7 x86 Packet 2.dll wpcap.dll Windows 7 x64 Windows 10 x86 Packet 2.dll wpcap.dll Windows 10 x64 Packet 3.dll wpcap 2.dll Extracted WinPcap package

SC Driver Service

RDI SC Driver Demo!

NtDriverLoad Loading in C++! Reflective DLL ❏ Main entry point ❏ Entire project is weaponized in a reflective DLL (RDI) ❏ CobaltStrike! ❏ Enable privileges for current process ❏ SeLoadDriverPrivlage Write Registry Keys ❏ NtLoadDriver requires a registry location ❏ Write three required for API ❏ Retrieve NTDLL.dll location ❏ Retrieve Process location of undocumented call NtLoadDriver() ❏ Convert path to unicode ❏ Call Undocumented API call ❏ Pass registry path ❏ Call NtUnloadDriver on the registry path ❏ Clean up after all calls are done etc NtUnloadDriver Load NTDLL.dll Enable Privileges

No content

RDI NtDriverLoad Demo!

APT 29 Long Term | Survivability | Fast Paced 3

What makes APT 29 Special? WMI ◈ Heavy reliance on WMI ◈ Custom WMI class creation ◈ Heavy use of PowerShell Persistence ◈ Not Agent persistence but the level of activity ◈ Extremely well equipped Agent Deployment The ability to use multiple agents with multiple IOC’s ◈ Using a main agent vs backup agent ◈ Think C2 initial setup Known Lots of great research on the net! Talks from mandiant and ◈ Defcon talks like “WhyMI so Sexy?” Matt Graber ◈ Nick Carr, Matt Dunwoody, DJ Palombo, and Alec Randazzo Mandiant Talk

A Custom RDI Agent POC Long Term Agent

Agent Capability Core Agent (Modular): - Pure C++ Agent - In memory logging outlet - Standard Calls (Sleep/Jitter etc..) - VM Detection (WMI Profiling) - AV Detection (Driver Query Based) - Process Listing (API / WMI Methods) - Shell Commands (cmd.exe) - Shell Code Injection (Process Injection) - Token Manipulation (Make Token/Rev) - RunAs - WinAES (Windows Crypto Providers) - WMI Monitoring: - Service Creation - Process Creation - Driver Creation

WMI Event Monitoring Why should I care? ◈ HUNT / IR is doing it to catch you, why can't we use it to catch them? ⬥ HIPS, UpRoot ◈ Think about how you capture memory from a compromised machine! ⬥ USB with Memorize in userland... ◈ The ability to make operator decision agent side in time sensitive situations ⬥ The ability to cleanly exit an agent or just sleep What should we monitor: ◈ Process Creation: ⬥ IR Toolset ⬥ Common RE / Memory Capture ⬥ Environmental Change (HUNT?) ◈ Service Creation: ⬥ New software ex (cylance service creation) ◈ Driver Install: ⬥ Often complete memory capture requires signed driver ⬥ NPF.sys, mktools.sys etc..

WMI Process Monitoring Within Agent

Rule Creation (Dynamic Vector) Rule Trigger Handler

Process Creation Ex.

Service Creation Ex.

Ex. Rule Triggered

WMI Event Within Demo!

Conclusion Code Takeaways: ◈ All of these techniques are talked about documented and mentioned. ⬥ Nothing 100% novel ◈ Finding the documentation is near nonexistent ⬥ Finding code that compiled.. ◈ Hopefuly the mass amount of PS, C++ code examples are helpful! ⬥ All written in VS 2015 with project files :) Key Takeaways: ◈ The attempt to try some of these techniques (TTP’s) ⬥ Driver loading not often but really cool! ◈ The knowledge gained on low level Windows operations ⬥ Very key for operators debugging toolsets

https://github.com/killswitch-GUI/Domain-WIFILocate Geo Wifi Keys https://github.com/killswitch-GUI/Persistence-Survivability Persistence Survivability Rating https://github.com/killswitch-GUI/Winsock-PCAP Winsock2 PCAP Capture https://github.com/killswitch-GUI/HotLoad-LoadDriver/ ScLoadDriver / WinPcap / NtLoadDriver https://github.com/killswitch-GUI/DeepFreeze-Agent POC IR Aware Agent

Any questions? You can find me at: @Killswitch-GUI · CyberSyndicates.com