2. Overview
Introduction of topic
◈ Who am I
◈ Where I come from
◈ Topic Intro
⬥ What is RAT
◈ What i’m trying to
accomplish
Adversarial Tradecraft
◈ Tactics, Techniques
and Procedures (TTP’s)
◈ Tools that can be
integrated
Adversaries Covered
◈ Duqu
◈ Hacking Team
◈ APT 29
◈ ProjectSauron
3. Who am I?
I am Alexander Rymdeko-Harvey
I am Pentester / Red Teamer with *************************, Previous US ARMY enlisted
and have worked on the following:
SimplyEmail, SimplyTemplate, EmPyre
You can find me at @Killswitch-GUI
4. Some Background on the tools developed:
◈ Strong background in Python and common tradecraft
◈ Six months ago I had barely any C++ skill set when it came to development
◈ Tools developed are POC and are weaponized for specific use cases with multiple
languages (Python, Powershell, C++)
◈ All are open source and can be found at Github.com/Killswitch-GUI
◈ I don't know if I will maintain or expand weaponization
Major shout out to the entire team for the help and aid developing these , especially:
Matt Graber | Justin Warner | Chris Ross | Lee Christian | Matt Nelson | Rohan Vazarkar |
Keelyn Roberts
6. What is RAT?
Repurposing adversarial
tradecraft stems from the
traditional sense of warfare and
evolving your force to meet a
threat.
- Justin Warner has a great 3
part series on the Red Team.
https://www.sixdub.net/?p=705
What is this all about?
Why so important?
- Pushes the community
forward
- Educate yourself and the
client of the newest attack
angle
7. “
Red teamers often
differentiate themselves from
pentesters in that they
“emulate adversaries” yet how
often do we hear them talk
about actual adversarial
TTP’s based off real world
threat intel?
8. What I’m trying to accomplish
Taking the time to analyze reports:
◈ The need for threat replication
◈ Helps produce capabilities
◈ Advance the team's capability
Find some of this code that actually compiles …
Every tester should understand what the actions they are doing
in the background
10. What makes Duqu Special?
WMI Data Collection
◈ Enumerate process info
◈ Remote registry collection*
◈ Extract user info / files
Driver Management
◈ Start / Stop Drivers
◈ Load Drivers
◈ Write Drivers to disk
Situational Awareness
A unique set of tools that allowed
data collection and provided
awareness to operators.
◈ Detects running sniffers
Network Leverage
A slew of network based attacks
and collection methods.
◈ PCAP*
◈ NetBIOS
◈ WPAD
Persistence
Unique persistence or lack of
persistence for such an aggressive
threat.
◈ TTP’s and confidence
◈ Rarely implanted
mechanism
AD Query
ADSI query and GC enumeration,
think PowerView! This allows for
all that PostEx fun.
12. Duqu style persistence
In Memory
Duqu reports indicate
that the malware lived
exclusively in
memory.
- This is a common
practice as operators
today
- We do how ever need
to plant persistence on
long term operations
Location Based
Reports indicate that
agent implant location
was a large factor.
- This dictated the
survivability of agent
- Picked high uptime
server / Data centers*
HIPS Avoidance
Stealth is an obvious
concern, staying off
disk and avoiding
potential HIPS.
- Dropping to disk poses
a risk to be caught by
heuristics etc.
13. What was the driver to build this TTP?
◈ On a few long term engagements that required persistence
and ability to OP (30+ Days)
◈ Need the ability to maintain constant C2 for backup
◈ This tool came in handy on more than one occasion and
allowed for success
15. Building Survivability Rating!
Invoke-FindPersistence
❏ Main entry point
❏ PowerView!
❏ Enumerates target
domain
❏ Filters: OS, Service Pack,
SPN, ADSPath, Filter,
ComputerName
Invoke-Ping/Test-Wmi
❏ Feed computer object
into Ping
❏ Feed up object into
Test-Wmi to check for
RPC
❏ WMI objects are full of
properties (Pass
Win32_OperatingSystem
)
Calculate Values
❏ Calculate Value from
0-100
❏ This is dependent on type
of property
❏ Calculate weighted
average to percent
❏ Calculate Persistence
Survivability Rating
Build Statistics
❏ Calculate Mean PSR
❏ Calculate Standard
Deviation of PSR
❏ Variance Id’s hot spots!
Calculate Weight
Obtain WMI
Get-NetComputer
16. Running the script..
◈ Threads
- Allowed for extremely fast WMI tests and data collection
◈ PowerView Get-NetComputer as the searcher:
- Allows for very granular host selection ADSPath, Filter and OS
◈ Tips:
- Find a custom “OU” for servers | PS> Get-NetOU -OUName *server*
- Set -MaxHosts to a reasonable query size
- Set -OperatingSystem to server versions
17. Persistence Survivability Rating
Query
Weighted
Value
Implemented
Boot Time Get-WmiBootTime 40% Yes
Install date Get-InstallDate 5% Yes
OS Level Get-WmiOS 5% Yes
System
Enclosure
Get-WmiSystemEnclosur
e
10% Yes
Architecture Get-WmiArch 5% Yes
Disk Size Get-WmiDisk 5% Yes
Processor
Count
Get-WmiProcessorCount 5% Yes
Processor
Cores
Get-WmiProcessorCores 5% Yes
Processor
Speed
Get-WmiProcessorSpeed 5% Yes
Process Count Get-WmiProcessCount 5% Yes
Persistence Checks
Query Impact
Implemente
d
VM Checks
Truth of
data
Yes
WMI Event Logging No
Portable OS
Implant
Location
Yes
20. Why 0day when you don't use
SMB signing?
Network Leverage
21. Duqu style network collection
Modular Build
Duqu reports indicate that
the malware was modular in
nature.
- Common in malware and
allows a custom build of
agent
- Reduces operational risk
- This dynamic execution is
emulated via reflective
DLL’s
Sniffer
Duqu used legitimate
WinPcap (npf.sys) driver for
sniffing!
- Full network stack capture
- Ability to spoof and alter
network stack
Network Attacks
Although Duqu had plenty of
offensive capability,
common network attacks
integrated?
- Allowed for NetBIOS /
WPAD Attacks
- Why use 0day or burn
TTP’s if WPAD attack
works?
- Beyond AD in cases where
separate network
segments exists
22. UserMode
Within usermode options are very limited.
Elevated context is required and limited
capture available.
- WinSock2 possible
- Allows pure native windows
subsystem code to execute :)
- OSI layer 3 and above available
- No spoofing of the network stack
Network Capture Options
KernelMode
Kernel space allows for complete control
over the Network Stack and NIC. Elevated
context and signed driver is needed.
- Allows for NDIS integration of
protocol drivers (NPF)
- Full packet capture
- Full packet injection
- Network Monitoring
23. Native PCAP Capture in C++!
Reflective DLL
❏ Main entry point
❏ Entire project is
weaponized in a
reflective DLL (RDI)
❏ Cobalt Strike!
❏ WinSock2 - allows for
native capture
❏ Set up required API calls
IPC Thread
❏ RDI in remote process
has no communication
with caller!
❏ Named pipe thread
implemented for control
❏ Sets poison pill for
control
❏ Write custom pcap
header struct to disk
Receive Filter
❏ Parse packet Ip, and
protocol headers
❏ Filter on packet count, ip,
port, and file size
❏ Parse and write to stdout
❏ Build PCAP packet struct
and write to file
Write Packet
Build PCAP
Start Capture
27. Finally Weaponize with Stephen Fewer ReflectiveDLL Injection!
Why?
◈ Stealthy:
- Loaded Library will not register list of
loaded modules in PEB
- Enumeration of process modules will also
not yield in exposure
- Entirely in memory execution
◈ Modular Design:
- Allows for dynamic expansion of agent if
developer builds IPC standard
- DLL patching for second stage payloads
- Agent would only need stub loader
RDI Process Injection:
1. Obtain byte array of DLL
2. Get handle on target proc and allocate memory
3. RWX target memory
4. Copy over DLL to target allocated memory
5. Calculate memory offset for the DLL export
6. Create remote thread with known offset to
entry point
7. Reflective Loader function locates needed
libraries (kernal32.dll)
8. Locate memory addresses of API calls needed to
load itself
9. Finally once loaded into memory, call
DLLMain()!
https://github.com/stephenfewer | http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
30. APT Driver Loading
Critical Design
Duqu required driver
execution within a few
modules. This could
dramatically help testers:
- The nature of Duqu’s
mission would need this
capability
- This capability is not often
needed on Pen Test / Red
Team
Stealthy
Standard driver loading
often entails a service
creation with reboot. Hot
loading a driver can be done
two ways:
- Kernel Driver Service
Creation
- NtLoadDriver()
undocumented
functionality
Unsigned Drivers
The ability to load custom
drivers relies on signed
drivers. This however can be
bypassed:
- Using exploitable drivers to
gain kernel code execution
- ProjectSauron used this for
Network Packet Filtering &
modification driver
31. What was the driver to build this TTP?
◈ The process to start WinPcap dynamically - we will be using
NPF as the scenario
◈ Ability to perform full packet capture!
◈ Because direct threat replication is cool
32. SC Driver Loading
Using the service controller manager we
can start and stop kernel driver services.
This is easy on the scale but allows for a
larger footprint forensically.
- Easy to implement
- Dirty artifacts: Service Creation,
Service Deletion, Driver Load event
- Requires Driver Path and Name
Loading Driver Options (We will cover both)
NtLoadDriver() Loading
Using the undocumented function
NtLoadDriver() stealthy driver loading is
possible.
- Allows for NDIS integration of
protocol drivers (NPF)
- Full packet capture
- Full packet injection
- Network Monitoring
33. SC Driver Loading in C++!
Reflective DLL
❏ Main entry point
❏ Entire project is
weaponized in a
reflective DLL (RDI)
❏ CobaltStrike!
❏ Base64 decode driver and
DLL’s
❏ Write DLL’s and driver to
required locations
Open SC Manager
❏ SC Handle creation
❏ Start Kernel Driver
Service
❏ Remove service used to
load driver
Start Required
Application
❏ Run User Mode code /
application
❏ All required DLL’s are
loaded via LoadLibary
etc.
❏ Driver is in Kernel space
❏ Safe to remove files
Clean Up
Service Deletion
Decode and Write
35. Loading WinPcap DLL Matrix
Operating System Packet.dll wpcap.dll
Windows XP x86
Windows 7 x86 Packet 2.dll wpcap.dll
Windows 7 x64
Windows 10 x86 Packet 2.dll wpcap.dll
Windows 10 x64 Packet 3.dll wpcap 2.dll
Extracted WinPcap package
38. NtDriverLoad Loading in C++!
Reflective DLL
❏ Main entry point
❏ Entire project is
weaponized in a
reflective DLL (RDI)
❏ CobaltStrike!
❏ Enable privileges for
current process
❏ SeLoadDriverPrivlage
Write Registry Keys
❏ NtLoadDriver requires a
registry location
❏ Write three required for
API
❏ Retrieve NTDLL.dll
location
❏ Retrieve Process location
of undocumented call
NtLoadDriver()
❏ Convert path to unicode
❏ Call Undocumented API
call
❏ Pass registry path
❏ Call NtUnloadDriver on
the registry path
❏ Clean up after all calls
are done etc
NtUnloadDriverLoad NTDLL.dllEnable Privileges
42. What makes APT 29 Special?
WMI
◈ Heavy reliance on WMI
◈ Custom WMI class creation
◈ Heavy use of PowerShell
Persistence
◈ Not Agent persistence but
the level of activity
◈ Extremely well equipped
Agent Deployment
The ability to use multiple agents
with multiple IOC’s
◈ Using a main agent vs
backup agent
◈ Think C2 initial setup
Known
Lots of great research on the net!
Talks from mandiant and
◈ Defcon talks like “WhyMI so
Sexy?” Matt Graber
◈ Nick Carr, Matt Dunwoody,
DJ Palombo, and Alec
Randazzo Mandiant Talk
44. Agent Capability
Core Agent (Modular):
- Pure C++ Agent
- In memory logging outlet
- Standard Calls (Sleep/Jitter etc..)
- VM Detection (WMI Profiling)
- AV Detection (Driver Query Based)
- Process Listing (API / WMI Methods)
- Shell Commands (cmd.exe)
- Shell Code Injection (Process Injection)
- Token Manipulation (Make Token/Rev)
- RunAs
- WinAES (Windows Crypto Providers)
- WMI Monitoring:
- Service Creation
- Process Creation
- Driver Creation
45. WMI Event Monitoring
Why should I care?
◈ HUNT / IR is doing it to catch you,
why can't we use it to catch them?
⬥ HIPS, UpRoot
◈ Think about how you capture
memory from a compromised
machine!
⬥ USB with Memorize in
userland...
◈ The ability to make operator
decision agent side in time sensitive
situations
⬥ The ability to cleanly exit an
agent or just sleep
What should we monitor:
◈ Process Creation:
⬥ IR Toolset
⬥ Common RE / Memory
Capture
⬥ Environmental Change
(HUNT?)
◈ Service Creation:
⬥ New software ex (cylance
service creation)
◈ Driver Install:
⬥ Often complete memory
capture requires signed driver
⬥ NPF.sys, mktools.sys etc..
52. Conclusion
Code Takeaways:
◈ All of these techniques are talked
about documented and mentioned.
⬥ Nothing 100% novel
◈ Finding the documentation is near
nonexistent
⬥ Finding code that compiled..
◈ Hopefuly the mass amount of PS,
C++ code examples are helpful!
⬥ All written in VS 2015 with
project files :)
Key Takeaways:
◈ The attempt to try some of these
techniques (TTP’s)
⬥ Driver loading not often but
really cool!
◈ The knowledge gained on low level
Windows operations
⬥ Very key for operators
debugging toolsets