PowerShell-RAT - (ISC)2 Melbourne Chapter - 16th Sep '19 Meeting (Information Security)

Transcript

1. PowerShell-RAT Viral Maniar

2. Disclaimer • Performing any hack attempts or tests without written

   permission from the owner of the systems is illegal. • This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with.

3. # whoami • Over 7 years of experience in the

   field of Information Security • Passionate about offensive and defensive security • Working as a Principal Security Consultant at Threat Intelligence Pty Ltd • In my free time I develop security tools • Outside from Infosec land – like photography https://github.com/Viralmaniar https://twitter.com/maniarviral https://www.linkedin.com/in/viralmaniar/ https://viralmaniar.github.io/

4. Recent news and statistics

5. MITRE ATT&CK

6. What is RAT?

7. Remote Access Trojan (RAT) • RAT is define as programs

   that provides the capability to allow covert surveillance or the ability to gain unauthorised access to a victim machine • Most RATs are designed to operate with a command and control server (C2 server or c&c server) • Attacker can send commands and receive data collected from the infected machines

8. Attack Vectors • RATs can be hidden in an exe

   files and placed on a USB as a file named resume or HR_Remuneration_2019 • RATs can be hidden in behind a fake web page button • It can be hidden in a picture, an icon or inside a video attachment • The most popular method hacker uses is to hide a binary inside a popular movie, song or a game and post it on a torrent for free download • USB Rubber Ducky

9. Why RAT? EMPIRE NISHANG POWERSPLOIT

10. Browser Warnings

11. Anti-Virus Tools

12. PowerShell-RAT • Open source tool written in Python and PowerShell

    • Assist Red Teamers and Penetration Testers to exfiltrate sensitive information via Gmail as command and control server during internal penetration test or through phishing campaigns • This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) softwares (for now) • Currently supports following functions: • Reverse Shell over Gmail • Screenshots • Keyboard strokes • Clipboard Hijack

13. PowerShell-RAT Overview Infected Machine RAT modules Attacker Controlled Gmail Account

    Runs modules frequently

14. Setup • Throwaway Gmail addresses • Enable "Allow less secure

    apps" by going to https://myaccount.google.com/lesssecureapps • Modify the $username & $password variables for your account in the Mail-*.ps1 PowerShell files • Modify $msg.From & $msg.To.Add with throwaway Gmail addresses

15. Screenshots Module • Takes screenshots of the user screen every

    1 minute using Graphics.CopyFromScreen Method • Sends an email to the attacker as an attachment • Deletes the screenshots to avoid suspicious

16. Clipboard Module • Keeps track of user clipboard along with

    timestamps every minute. • User can modify these as per their need to sniff every few seconds • Sends an email to the attacker with clipboard data as a clip.txt file attachment

17. Keystrokes Module • Starts keyboard strokes logging after user Authentication

    • Uses SetWindowsHookEx with WH_KEYBOARD_LL • Sends an email to the attacker with keystrokes data as a elog.txt file attachment

18. Reverse Shell Module • Uses Gmail API’s to read emails

    every 15 seconds and parses the commands from the attacker • Shell output gets sent to the attacker email • Examples of commands for reverse shell: • ISC2DEM019:whoami • ISC2DEM019:tasklist • ISC2DEM019:ipconfig • ISC2DEM019:KILL

19. Enough talking!

20. Detection Mechanism • SSL Stripping on your network. Some companies

    have policies to not perform SSL stripping on well known sites to maintain users privacy. Furthermore, attacker can encrypt traffic for exfiltration. • PowerShell Logging. However, attacker can clear these locations to avoid logging of the scripts. • Look for regularly timed DNS traffic through frequency analysis. However, this can be defeated using randomisation in connection timing. • Sysinternal tools such as autorun, sysmon, process explorer and process monitor to review system configurations. Requires time and resources.

21. Recommendations • Disable PowerShell for the domain users if not

    required • Application whitelist via software restriction policies • Invest in a decent EDR solutions and run this on every hosts and servers in your network

22. References • https://docs.microsoft.com/en- us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8 • https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get- clipboard?view=powershell-5.1 • https://developers.google.com/docs/api/quickstart/python •

    https://github.com/googleapis/google-api-python-client • https://www.pdq.com/blog/powershell-send-mailmessage-gmail/ • https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowshookexa • https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks • https://www.itwire.com/security/australia-hit-by-9-2-million-malware-attacks-in-just-six- months.html • https://www.cyber.gov.au/aisi/statistics/malware-statistics • Sandeep Ghai from Threat Intelligence for his help on Reverse Shell Module