Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CheckPlease - Payload-Agnostic Implant Security

2,676 views

Published on

Presented at BSides Las Vegas 2017

Published in: Software
  • Be the first to comment

CheckPlease - Payload-Agnostic Implant Security

  1. 1. CheckPlease - Payload-Agnostic Implant Security @Arvanaghi & @ChrisTruncer
  2. 2. Brandon Arvanaghi Associate Consultant at Mandiant Red teaming, reverse engineering, tool development Vanderbilt University 2
  3. 3. Chris Truncer Previous Sys Admin turned Red Team West Coast Red Team Lead Open Source Developer Veil, EyeWitness, WMImplant 3
  4. 4. Pop Quiz Which is more effective at stopping malicious applications from executing? 1) Application Whitelisting 2) Application Blacklisting 4 @Arvanaghi @ChrisTruncer
  5. 5. Pop Quiz • Answer: Application Whitelisting! • Rather than trying to figure out everything we don’t want to allow, we identify what we do want • Disallow all else! • AppLocker on Windows 7, 8, 10 5 @Arvanaghi @ChrisTruncer
  6. 6. Sandbox Detection • A sandbox is a virtual environment designed to monitor malware behavior • Dynamic analysis • Malware acts benign if it thinks it is being dynamically analyzed 6 @Arvanaghi @ChrisTruncer
  7. 7. Sandbox Detection • Old thinking: sandboxes look a certain way, so let’s specifically check if we are in a sandbox in our payloads • Avoid running if it’s the case • Registry keys and values, MAC addresses, limited RAM, etc. • Can be useful! 7 @Arvanaghi @ChrisTruncer
  8. 8. Implant Security 8
  9. 9. Realization • Trying to detect if you are in a sandbox is a form of blacklisting! • Identifying every kind of sandbox is too hard! • Why do we write sandbox detection checks in the first place? 9 @Arvanaghi @ChrisTruncer
  10. 10. Realization We want our malware to run where we expect. Avoiding sandboxes is a byproduct of that. 10 @Arvanaghi @ChrisTruncer
  11. 11. 11 @Arvanaghi @ChrisTruncer
  12. 12. Workflow for Implant Security 1. Get initial access into domain a. Limited information 2. Immediately exfiltrate domain data a. We don’t dump creds initially, do we? 3. Never use a non-targeted payload again for that domain! 12 @Arvanaghi @ChrisTruncer
  13. 13. The Problems with Pure Sandbox Detection 1. You are not that smart. 13
  14. 14. The Problems with Pure Sandbox Detection 1. You are not that smart. Hard enough debugging failed payloads. AV? RAT? Whitelisting? Hard to say. 14
  15. 15. The Problems with Pure Sandbox Detection 2. Uptick in VM usage 15
  16. 16. The Problems with Pure Sandbox Detection 2. Uptick in VM usage VMs used to be indicative of sandboxes Today, they are critical assets. We want to target them! 16
  17. 17. The Problems with Pure Sandbox Detection 3. Sandboxes look like legacy systems 17
  18. 18. The Problems with Pure Sandbox Detection 3. Sandboxes look like legacy systems Legacy systems are easiest to target Blacklisting sandboxes means missing out! 18
  19. 19. The Problems with Pure Sandbox Detection 4. Anti-Anti-VM 19
  20. 20. The Problems with Pure Sandbox Detection 4. Anti-Anti-VM How many more Anti-s do you want? • Attackers strike • Defenders detect • Attackers mod • Goto 1 20
  21. 21. CheckPlease 21
  22. 22. Creating a Payload-Agnostic Repository • Implant security modules are exclusively written in C! • Or discussed abstractly • Payload deliverance growing in non-standard languages • Let’s make a centralized library implementing these techniques in all languages! 22 @Arvanaghi @ChrisTruncer
  23. 23. CheckPlease: Languages Supported • C 23
  24. 24. CheckPlease: Languages Supported • C • C# 24
  25. 25. CheckPlease: Languages Supported • C • C# • PowerShell 25
  26. 26. CheckPlease: Languages Supported • C • C# • PowerShell • Python 26
  27. 27. CheckPlease: Languages Supported • C • C# • PowerShell • Python • Go 27
  28. 28. CheckPlease: Languages Supported • C • C# • PowerShell • Python • Go • Ruby 28
  29. 29. CheckPlease: Languages Supported • C • C# • PowerShell • Python • Go • Ruby • Perl 29
  30. 30. 30 @Arvanaghi @ChrisTruncer
  31. 31. 31 @Arvanaghi @ChrisTruncer
  32. 32. Why don’t sandboxes follow all paths? • Design decision for sandboxes • Don’t have the computing power to follow all trees 32 @Arvanaghi @ChrisTruncer
  33. 33. Why don’t sandboxes follow all paths? Example problem: if ($env:username -eq “USERNAME THAT WOULD NEVER EXIST”) { # Expand into several branches of nonsense # Goal: waste the sandbox’s time and resources # Sandbox rendered useless } 33 @Arvanaghi @ChrisTruncer
  34. 34. Daddy Issues 34
  35. 35. Parent Process • Every time we launch a payload, we know exactly what the parent process should be! • Word document? • PDF document? • HTA application? • Most languages support finding the ppid • Use that to find the string name of process 35 @Arvanaghi @ChrisTruncer
  36. 36. Parent Process: Python 36
  37. 37. Parent Process: PowerShell 37
  38. 38. Sleeping I’m tired 38
  39. 39. Payload Sleeping 39 @Arvanaghi @ChrisTruncer • This is the first thing most people will try • Making your code sleep an hour • Should work right? • Sandbox can’t keep resources running that long! • Nope
  40. 40. Payload Sleeping 40 @Arvanaghi @ChrisTruncer • Developers obviously know this too • Look for sleep calls and hook them • Fast-forward any sleep call • Immediately jump to next part of the code • So… how can this be beaten?
  41. 41. Payload Sleeping 41 @Arvanaghi @ChrisTruncer • Outsource time requests to NTP servers! • Request current time from NTP server • Try to sleep for the requested amount of time • Make another request for the current time from a NTP server
  42. 42. Payload Sleeping 42 @Arvanaghi @ChrisTruncer • Alternative option • Can you develop a function which take an approximate amount of time to compute? • Iterate over that function as many times as you’d like to sleep. • RemoveS the network dependency for the check
  43. 43. 43 @Arvanaghi @ChrisTruncer
  44. 44. Encryption 44
  45. 45. Encrypt with Targeted Indicators • To protect our implant from running where we don’t expect, we can encrypt it • The key? An indicator from our targeted host • MAC address • Username + hostname • Etc. • Once again, sandbox is a BYPRODUCT! 45 @Arvanaghi @ChrisTruncer
  46. 46. Encrypt with Targeted Indicators • How does this work? • Payload dynamically pulls system information • System information is concatenated to generate an encryption key • If key is correct, decrypt data and run the real code • If not, assume on the wrong system and die 46 @Arvanaghi @ChrisTruncer
  47. 47. Encrypt with Targeted Indicators Ebowla is a great example of this in practice: https://github.com/Genetic-Malware/Ebowla 47 @Arvanaghi @ChrisTruncer
  48. 48. Delay-Analysis Module • In the hands of a skilled reverse engineer, nothing is infallible • That’s not the goal, just beat initial automated analysis • This can start at the source code level • Used Hyperion? 48 @Arvanaghi @ChrisTruncer
  49. 49. Delay-Analysis Module • Hyperion receives your “file” and outputs a different encrypted file • The output is encrypted with no key stored inside • Due to an artificially constrained keyspace, it brute forces itself • Let’s recreate this! 49 @Arvanaghi @ChrisTruncer
  50. 50. Delay-Analysis Module • The Delay-Analysis Python script receives an input file • Your source code • Select the language your code is in • Output is encrypted code which brute forces itself at runtime 50 @Arvanaghi @ChrisTruncer
  51. 51. 51 Python: Delay Analysis @Arvanaghi @ChrisTruncer
  52. 52. 52 @Arvanaghi @ChrisTruncer
  53. 53. 53
  54. 54. Targeted Code Host Metadata 54
  55. 55. Process Names • Easy to write code that enumerates running processes • Validate that no-blacklisted processes are running at the same time • Wireshark • VMWare • Process Explorer • tshark 55 @Arvanaghi @ChrisTruncer
  56. 56. Process Names 56 @Arvanaghi @ChrisTruncer
  57. 57. Windows Updates • The number of recent Windows updates can provide information about the system • How often it is patched • Uptime • Real users will likely update more than sandboxes 57 @Arvanaghi @ChrisTruncer
  58. 58. Windows Updates 58 @Arvanaghi @ChrisTruncer
  59. 59. Registry Size • Do you know the approximate size of your system’s registry? • Fingerprint this information for an approximate size within the targeted organization • Validate it at runtime! 59 @Arvanaghi @ChrisTruncer
  60. 60. 60 @Arvanaghi @ChrisTruncer
  61. 61. User Activity 61 We all love users :)
  62. 62. User Interaction • Reasons you want a user present • Authed but don’t have user’s credentials • Present a prompt to enter creds • Watch them on VNC, see internal sites they navigate to • Built-in cobalt strike • Two-factor push notification • Etc. 62 @Arvanaghi @ChrisTruncer
  63. 63. Mouse Clicks • Check for user presence via mouse activity • If the mouse is registering clicks, it’s indicative of user activity • Require a minimum number of clicks prior to executing the “protected code” 63 @Arvanaghi @ChrisTruncer
  64. 64. Python: Execute after “N” clicks Mouse Clicks 64 @Arvanaghi @ChrisTruncer
  65. 65. PowerShell: Execute after “N” clicks Mouse Clicks 65 @Arvanaghi @ChrisTruncer
  66. 66. Mouse Position • In addition to mouse clicks as one metric for user activity, track mouse location • Console can be broken down into (x,y) positions • Perform a comparison of mouse location over a period of time • 30 seconds? • Should be near impossible to have the exact same location 66 @Arvanaghi @ChrisTruncer
  67. 67. Go: Check Mouse Position 67 @Arvanaghi @ChrisTruncer
  68. 68. Prompt Users! • Users already get prompted for a variety of reasons, what’s one more? • They already just give us passwords, why not click a button? • Sole purpose is to require interactive use prior to code execution • When run, the code will present the user with a pop-up, and will wait to run 68 @Arvanaghi @ChrisTruncer
  69. 69. Ruby: Prompt User 69
  70. 70. 70
  71. 71. What else can we want to target? • Number of USB drives mounted on the system • Number of web browsers • Minimum number of processes • Whether certain files exist on disk • Whether specific Registry keys/values exist (think installed programs, etc.) • The number of processors on the system • The minimum RAM size • The minimum disk size • The size of the Registry • Whether a DLL is loaded • Whether a process is running 71
  72. 72. Porting to Your Payload
  73. 73. Only Running on Targeted System if ((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq $expectedDomain) { } 73
  74. 74. Only Running on Targeted System if ((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq $expectedDomain) { if ($env:username -eq $expectedUsername) { } } 74
  75. 75. Only Running on Targeted System if ((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq $expectedDomain) { if ($env:username -eq $expectedUsername) { if ($env:computername -eq $expectedHostname) { } } } 75
  76. 76. Only Running on Targeted System if ((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq $expectedDomain) { if ($env:username -eq $expectedUsername) { if ($env:computername -eq $expectedHostname) { # Passed all checks, proceed! } } } 76
  77. 77. Veil • This is a great opportunity to contribute to Veil’s codebase • Add in a means to automatically develop targeted payloads • Merge the code and quick demo 77
  78. 78. 78
  79. 79. 79 THANKS! Any questions? https://github.com/Arvanaghi/CheckPlease @Arvanaghi @ChrisTruncer

×