Evading Defenses with Acidrain, Powershell, Github and Pastebin
advertisement
Evading Defenses with Acidrain, Powershell, Github and Pastebin Mike Poor and Jay Beale Adam Crompton, Tyler Robinson and John Sawyer InGuardians (bonus booth talk on Word macro-based exploitation and remote access tool) Copyright 2015 InGuardians, Inc. 1 Evasion Tactics • Self-decrypting Python Droppers • Powershell In-Memory Command and Control • (Booth) Macro Execution and the Throwback Remote Access Tool • Anti-virus vendor chosen: – Symantec Endpoint Protection 12.1.16 Copyright 2015 InGuardians, Inc. 2 AcidRain • We've never been caught by A/V with AcidRain • Encrypts Python in AES-256 – We use msfvenom's Python version of the Meterpreter • Pyinstaller to create an EXE • Methods of obtaining key – Keep the key in the payload – Socket connect (nc –l) – Web request (python SimpleHTTPServer) • This works for any Python code. Copyright 2015 InGuardians, Inc. 3 AcidRain Modules • System profiler – – – – Mac, Linux, Windows Automated post-exploitation profiling commands Phones home, sends profiling output, cuts connection Reconnects after a pre-defined time • SOCKS4 proxy • Bind shell • Reverse shell Copyright 2015 InGuardians, Inc. 4 Uses Pyinstaller • Pyinstaller bundles python applications into a single exe file. • Run on Linux using Wine: wine c:\\Python27\\python.exe /usr/share/pyinstaller/pyinstaller.py /home/user/hello.py --onefile Copyright 2015 InGuardians, Inc. 5 Demo AcidRain (Video will be linked to from InGuardians website within one week) Copyright 2015 InGuardians, Inc. 6 Puppet Master C2 Framework • Powershell Command and Control (C2) via third party widely-used services • Current payloads: – Invoke-Github.ps1 – Invoke-Pastebin.ps1 • If these are blocked, we can create more, making the defenders play Whack-a-Mole! • Submitting these to @harmjoy for Empire inclusion Copyright 2015 InGuardians, Inc. 7 Powershell Commands • The attacker types powershell commands and receives their output. • This is incredibly powerful, as we can use all the Powershell frameworks, our own commandlets or just start running commands. Copyright 2015 InGuardians, Inc. 8 Github and Pastebin • On Github, we create a "gist," a non-project code publish – All C2 data is comments on the gist. • On Pastebin, we create a paste. – Expiration date is set to a short time, say, one hour. Copyright 2015 InGuardians, Inc. 9 Encryption • Prereq: Powershell v2.0 and .NET version 4.0 • Encryption Used: AES 256-bit using ConvertToSecureString and ConvertFrom-SecureString commandlets • All commands and results are encrypted before posting to the third party page, to avoid divulging any data. Copyright 2015 InGuardians, Inc. 10 1. How Does the C2 Func2on Attacker Third Party Service Pastebin Github Copyright 2015 InGuardians, Inc. Beacon checks in for a new command with dynamic jitter rate Victim 11 2. How Does the C2 Func2on Attacker Attacker sends a command in a request to third party service's API Copyright 2015 InGuardians, Inc. Third Party Service Pastebin Github Victim 12 3. How Does the C2 Func2on Attacker Attacker polls the third party service until a response is posted. Copyright 2015 InGuardians, Inc. Third Party Service Pastebin Github Victim 13 4. How Does the C2 Func2on Attacker Third Party Service Pastebin Github Copyright 2015 InGuardians, Inc. Beacon gets the command that the attacker stored in the post and runs on the host. Victim 14 5. How Does the C2 Func2on Attacker Third Party Service Pastebin Github Copyright 2015 InGuardians, Inc. Beacon sends command output back to the third party service. Victim 15 6. How Does the C2 Func2on Attacker Attacker gets response from server. Third Party Service Pastebin Github Copyright 2015 InGuardians, Inc. Victim 16 DEMO Invoke-Pastebin.ps1 Invoke-Github.ps1 (Video will be linked to from InGuardians website within one week) Copyright 2015 InGuardians, Inc. 17 Booth: Macro-Based Injection • Threat actors don’t always use sophisticated attacks. • Why use a $10k 0-Day or reverse engineer a protocol when a simple email will work. • Microsoft Office Macro-Based Payload Injection – Great way to get an initial foothold or gain more access in the environment. – Utilize memory-based injections Copyright 2015 InGuardians, Inc. 18 Executables Embedded in Macros • We use Office Developer Tools to create a macro containing an encrypted and base64-encoded payload. • We place the macro in a document, formatted as a regular .doc or .xls file. – It does not have to be the .docm format. • The payload executes silently in the background. • This payload could be an .EXE or a .DLL file. Copyright 2015 InGuardians, Inc. 19 Additional A/V Evasion • The macro can drop the payload to disk as a compressed archive to help avoid detection. • We can extract a DLL as a .log file in a hidden directory and run it using rundll32.exe. • In this case, we're going to place the Throwback open source RAT onto the system via the macro. Copyright 2015 InGuardians, Inc. 20 Payload and Persistence • In this demo, the Throwback backdoor: – drops a .exe into a hidden directory as a hidden file – runs this .exe, which deletes its on-disk file – which in turn copies a second .exe to a different hidden directory as a different hidden file. – and creates a service and checks proxy settings to gain Internet access to call home all using native Windows API calls. Copyright 2015 InGuardians, Inc. 21 Throwback RAT • We use the Throwback RAT as a long term foothold in the organization. • The RAT beacons home over HTTP(s) & DNS using winhttp/wininet for proxy awareness. • The backdoor is then used to pivot to other boxes, where we deploy RAT’s on systems other than beaconing hosts, to retain access and avoid detection. Copyright 2015 InGuardians, Inc. 22 DLL Execution: Cobalt Strike Beacon • Here, we place the Cobalt Strike Reverse HTTPS Beacon on the victim as perflib0.log and execute with rundll32.exe. • Run Mimikatz and hashdump for cleartext passwords and local hashes. • We could also use the beacon to spawn meterpreter in memory, use powershell, pivot, scan and attack. Copyright 2015 InGuardians, Inc. 23 Injecting Shellcode into a Process • We also inject a meterpreter payload into an already-running process by generating raw shell code (perflib0.html) and inject it into a process. • This was not detected by AV. Copyright 2015 InGuardians, Inc. 24 Steps in the Video 1 of 2 1. Create a Word macro and e-mail to a SE victim. 2. Victim opens the Word doc and approves macro. 3. Throwback binary starts, connects to PHP app. 4. Get a process list to find process to inject in. 5. Create Meterpreter shellcode (perflib0.html) 6. Download Cobalt Strike (perflib0.log) Copyright 2015 InGuardians, Inc. 25 Steps in the Video 2 of 2 7. Instruct victim to rundll32 perflib0.log 8. Instruct victim to download shellcode and inject into PID 1560. 9. Interact over Cobalt Strike. 10. Interact over Meterpeter session. Copyright 2015 InGuardians, Inc. 26 Demo (Video will be linked to from InGuardians website within one week) Copyright 2015 InGuardians, Inc. 27 Pivot, Pivot, Pivot • With an initial foothold, the goal is to always pivot and avoid detection. • With good OPSec, you can maintain long-term access as well as pivot and attack. Copyright 2015 InGuardians, Inc. 28 Thank You Talk and Demo at our table at 3:30pm. We're always seeking to up our game, create cool tools and techniques, and share with our community. InGuardians is proud to sponsor the SANS Pentest HackFest. Copyright 2015 InGuardians, Inc. 29
