Cracking the Perimeter with SharpShooter

Dominic Chell June 2019

•Dominic Chell:

•Offensive Security @ MDSec

•Responsible for *BEST, STAR and TIBER services

•Twitter : @domchell

# whoami

•Projects:

•SharpShooter

•SharpPack

•Chameleon

•LyncSniper

•PowerDNS

•Background

•SharpShooter Overview

•Reconnaissance

•Delivery

•Sandbox Evasion

•Staging

•“Free Styling” with SharpShooter

•Exploring AMSI

•Macro Support

•Tradecraft

•Detection / Prevention

OUTLINE

•Establishing initial access can often be complex

•Increased focus from defenders on PowerShell attacks

•Easy to signature both statically and with process spawn chains

•AMSI provides engines direct access to memory

•Rise of sandboxing tech, “Next Gen Anti-Virus”, EDR and EDP

•Increased difficulties introducing payloads to environments

•Red teaming is getting harder!

BACKGROUND

•Internally developed tool; SharpShooter

•Successful on a number of adversary simulations

•Some success in bypassing traditional and “Next Gen” security controls

OVERVIEW: SharpShooter

OVERVIEW: SharpShooter

•Staged and stageless payload creation framework for Windows based Scripting file formats:

•HTML Applications

•JavaScript

•VBScript

•Windows Script Files

•VBA and Excel4 Macro Support

•Arbitrary execution of CSharp source

•Anti-Sandboxing and HTML Smuggling

OVERVIEW: SharpShooter

•Script payloads execute DotNet using DotNetToJScript

•Staged payloads:

•Arbitrary CSharp source code is retrieved via DNS or web

•CSharp source code is compiled and executed using reflection

OVERVIEW: SharpShooter

•Targeted reconnaissance provides better chance of success

•Payload should be targeted for correct version of DotNet framework

•If executing in-process shellcode, it should correspond to the target’s architecture

•Alternatively, an x86 process can be spawned and injected in to

RECONNAISSANCE

•Reconnaissance e-mail with image and system profiling links

•Embed in e-mail:

•Monitor web logs for results:

RECONNAISSANCE

<img src=“http://attacker.net/logo.png?uid=1234” />

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.6366; ms-office; MSOffice 16)

•Delivery can leverage the “HTML smuggling” technique from @buffaloverflow

•RC4 encrypted file decrypted in the browser using JavaScript’s WebCrypto APIs

•navigator.mssaveBlob forces the browser to save the decrypted blob locally

•Proxy sees text/html or attachment rather than the content type of the payload (e.g. text/vbscript)

•SharpShooter provides two pre-defined template examples

DELIVERY

•Attempts to avoid automated analysis, inspired by CheckPlease:

•Domain keying

•Domain member

•Sandbox artefacts

•Bad MACs

•Debugging

SANDBOX EVASION

•Obtaining Active Directory name example:

SANDBOX EVASION

•Obtaining Active Directory name example:

SANDBOX EVASION

DEMO: PALO ALTO TRAPS

•Shortly after release signatures began to emerge

•Defender AMSI signature detects all DotNetToJScript

•Proclaimed dead by @subTee

DETECTION STATUS

DETECTION STATUS

DETECTION STATUS

SharpShooter RESURRECTION

•Microsoft introduced AMSI in Windows 10

•Standard interface to provide file, memory and stream scanning for any application

•Analysis at the scripting engine therefore access to the plain, deobfuscated code

•Supported in PowerShell, Windows Script Host, JavaScript and VBScript and Office VBA macros

ANTIMALWARE SCAN INTERFACE

ANTIMALWARE SCAN INTERFACE

ANTIMALWARE SCAN INTERFACE

•Mid-April 2018 @subTee released “SquiblyTwo” attack

•Script execution through Stylesheets using wmic.exe

•Defender AMSI did not trigger

ANTIMALWARE SCAN INTERFACE

•Updates to SharpShooter to include “COM Staging” and XSL / SCT generation

•Several known COM methods allow command execution:

•Outlook.CreateObject,

• WScript.Run,

• Shellbrowserwindow.Document.Application.Run,

• WMI StartWin32Process

•Leverage COM to execute wmic.exe or regsvr32.exe on the command line to perform “Squiblydoo” and “SquiblyTwo” attacks

COM STAGING

COM STAGING

HTA, JS, VBSCOM Interface

(Outlook, WScript, WMI etc)

wmic.exe / regsvr32.exe

Remotely Hosted XSL or SCT

FREE STYLING WITH SharpShooter

•Research in to COM objects supporting XSL processing identified Microsoft.XMLDOM interface

•Inline and remotely hosted transformation of XML against a given stylesheet, providing following benefits:

•No command line execution,

•Regsvr32.exe has known IOCs e.g. User-Agent,

•XSL retrieval via HTTP/HTTPS

•AMSI not supported in scriptlets; added early 2019

•Later used by @bohops to bypass WDAC in CVE-2018-8492

FREE STYLING WITH SharpShooter

FREE STYLING WITH SharpShooter

DEMO: WINDOWS DEFENDER XSL

•@Tal_Liberman discovered an AMSI bypass using the “AmsiEnable” registry key (HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable)

•Requires the user to “open” the payload twice:

•First pass checks the registry to determine if the key is set and if not set it

•Second pass opens the payload from the user’s download folder

AMSI BYPASSES

AMSI BYPASSES

•@tiraniddo discovered a DLL hijacking vulnerability in AMSI

• The technique prevents LoadLibrary from loading the AMSI.dll by convincing it that it’s already loaded

•The scripting engine is unable to find the AMSI DLL exports and fails safe

•Copy wscript.exe to known location with name amsi.dll and run the script file

AMSI BYPASSES

•@Tal_Liberman discovered another bypass in AMSI by patching the amsi.dll’s exported functions

•AmsiScanBuffer handles the buffer that is being scanned

•Function patched in memory to return AMSI_RESULT_CLEAN

• mov eax, 0x80070057; retn

AMSI BYPASSES

DEMO: DEFENDER AMSI BYPASS

•In Feb 2019, SharpShooter added additional support for VBA and Excel 4.0 macros

•VBA support introduced using XMLDOM and XSL technique

•@StanHacked discovered a legacy feature of Office to execute macros using Excel 4.0

•Excel 4.0 does not support AMSI and not recognised by many EDR/EDP solutions

•SharpShooter generates an SLK file to directly execute shellcode in Excel

MACRO SUPPORT

DEMO: MACRO EXECUTION

•Default SharpShooter templates do not employ OpSec tradecraft, stageless template:

•Allocates memory EXECUTE_READWRITE for shellcode execution

•Executes shellcode “in process”, e.g. mshta.exe performing C2

•Spawns from the default parent, e.g. wscript.exe launched from chrome.exe

•Indicators discussed in detail by defenders:

•https://countercept.com/blog/analyzing-sharpshooter-part-1/

•https://countercept.com/blog/analyzing-sharpshooter-part-2/

TRADECRAFT

•Reducing memory indicators is a trivial step:

•Firstly allocate memory using PAGE_READWRITE

•Reset the page permissions to PAGE_EXECUTE_READ using VirtualProtect

TRADECRAFT

•Reducing process indicators can be achieved using injection:

•Spawn innocuous process e.g. iexplore.exe

•Inject shellcode using chosen technique, e.g. ALPC, SetThreadContext, CreateRemoteThread etc.

TRADECRAFT

•Parent PID spoofing can be performed using UpdateProcThreadAttribute

•CreateProcess using STARTUPINFOEX struct

TRADECRAFT

DEMO: TRADECRAFT

•Staged mode CSharp compilation using CodeDom with the CompilerParameters.GenerateInMemory = true; parameter

•Command line logging:

•csc.exe invocation

•nslookup.exe for DNS delivery

•Modifications to AmsiEnable registry key for AMSI bypasses

DETECTION

•Endpoint prevention strategies:

•Device Guard code integrity policy

•Application whitelisting, block mshta.exe etc.

•Modify default handlers for scripting extensions

•Network:

•Outbound DNS filtering

•Monitor for HTML Smuggling, e.g. WebCrypto APIs

PREVENTION

•Windows Scripting file formats provide a number of interesting opportunities for initial access

•Leveraging COM these can be harnessed for code execution using scriptlets and execution cradles

•Creating weaponised tools raises ethical dilemmas, particularly when observed in the wild

•Red team research/tooling can however provide a rare opportunity to raise the bar in detection at scale

CONCLUSIONS

•SharpShooter available from https://github.com/mdsecactivebreach/SharpShooter

•Thanks to the following people:

•@tiraniddo: DotNetToJScript

•@Arno0x0x: EmbedInHTML

•@buffaloverflow: Demiguise

•@arvanaghi and @ChrisTruncer: CheckPlease

•@subTee: Squiblydoo/Two

•@StanHacked: Excel4.0 research

REFERENCES

QUESTIONS