Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Adversarial Post-Ex
Lessons From The Pros
Justin Warner, Chris Ross
Veris Group’s Adaptive Threat Division
Overview
◦ Introductions
◦ Adversary Emulation
◦ Lessons From “Bad Guys”
◦ Post-Ex Features
▫ Analysis of Bad Guy Use
▫ Le...
$whoami
◦ Justin Warner
▫ Manager - Offensive Services, ATD
▫ Former USAF Guy
▫ Interest: red team, reverse engineering,
P...
Inspiration For This Talk
◦ Richard Wartell (@Wartotell) - Malware
Is Hard, Let’s Go Shopping!
◦ Offensive toolsets
▫ Matt...
First Things First
Let’s not rush this
Adversaries
◦ Adversary - One’s opponent in a conflict
◦ Threat - The potential for the occurrence
of a harmful event
▫ Th...
APT Like These Guys
… Or More Like These Guys
Adversary Emulation
◦ A type of red teaming that focuses on
the emulation of a specific adversary
▫ Utilize intel to model...
Diamond Model
The Diamond Model of Intrusion Analysis - Chris Betz, Sergio Caltagirone, Andrew Pendergast
Axiom 1: “For ev...
Post-Exploitation
◦ Post-Exploitation - The actions taken by
an adversary after exploitation
◦ Some example actions:
▫ Rec...
Malware Repurposing
◦ The process of
analyzing malware
with the intent of
reusing techniques,
code, or actual
samples
◦ Re...
School Is In Session
Bad Guys
Learning From “Bad Guys”
◦ Benefits:
▫ Highly realistic (based on real events)
▫ Continuous tool ideas - “Hackers gonna Ha...
Process For Emulation
See Cool Stuff
◦ Where can we see cool stuff?
▫ APT Reports
▫ VirusTotal API
▫ Private malware sources
▫ Network defenders...
Analyze Cool Stuff
◦ Malware analysis and RE skills will be
useful but are not required
▫ Plenty of technical threat repor...
We Will Not Do This To You
Research Alternatives
◦ Are there other APIs or pre-built libraries
that will allow you to accomplish this
technique?
▫ Wi...
Implement Cool Stuff
◦ Don’t work too hard…
▫ No need to learn C/C++ unless you are truly
strict on replicating
▫ Live off...
Tool Disclaimer
◦ These tools are POCs written to
demonstrate concepts
▫ Not all of them will be actively supported
◦ Use ...
Hot Cam & Hot Mic
Oh the things you will see...
1
Examples In Wild
◦ Microphone
▫ LuxNetRAT - “Over the Counter” RAT
https://brage.bibsys.no/xmlui/bitstream/handle/11
250/1...
How it Works - MCI Hot Mic
Multimedia Command Interface - Device independent method of
controlling multimedia devices
MCI
...
How it Works - VFW Snapshot
Alternatives?
◦ Video
▫ Most of the tools we saw utilized DirectX and
DirectShow to accomplish Video Capture
There is a .N...
MCI Hot Mic
◦ Get-MicrophoneAudio in PowerSploit
“dev” branch
▫ Utilizes pure reflection in PowerShell to call
Win32 API i...
RocketKitten VFW Mockup
◦ Get-VFWSnapshot
▫ Logically similar mockup of
camera functionality in the
MPK backdoor
▫ Utilize...
...When We Listen To M$
◦ Get-DXWebcamVideo.ps1
▫ Utilizes DirectShow .NET and DirectX Capture
Library
All credit to the o...
Toying With Skype
When APIs turn against you
2
Examples In Wild
◦ T9000 Malware - “tyeu.dat”
▫ Used in APAC region for targeted attacks
◦ Malware is used to gather scree...
How it Works 1/2
1. RegisterWindowMessage
SkypeControlAPIAttach
SkypeControlAPIDiscover
2. SendMessageTimeout
Custom Windo...
How It Works 2/2
RINGING
INPROGRESS
FINISHED
CALL
34243
HotSexyBod12
3
“GET CALL 34243
PARTNER_HANDLE”
“HotSexyBod123”
“AL...
Skype Controller
◦ Start-SkypeRecorder
▫ Heavily adapted from T9000 malware
and other third party software.
▫ Utilizes pur...
File System Fun
Gift that keeps on giving
3
Example In Wild
◦ FLASHFLOOD Malware
▫ APT30 aka NaikonAPT
◦ Profiles host and packages up selected files
▫ Uses timestamp...
How it Works
Desktopaccounts.doc
Windows$NtUninstallKB885
884$FlashFilesaccounts.ldf
Newer Than
Recorded
Time
DesktopPassw...
Alternate Techniques?
◦ Eventing Options:
▫ FindFirstChangeNotification - Win32 API to
utilize asynchronous eventing to al...
FileSystemWatcher Exfil
◦ Utilizes Start-FileSystemMonitor
▫ Slight tweaks to make it dump output
◦ Combine with the follo...
Catching Packetz
A deep look inside target networks
4
Examples In Wild
◦ NaikonAPT / APT30
▫ “Lateral movements included copying over and
remotely setting up winpcap across des...
How it Works - WinPCAP
1- Install WinPCAP “Silently” 2- Utilize WinPCAP For Capture
● Pcap_open
● Pcap_compile
● Pcap_setf...
Research
◦ Numerous other methods can be used to
capture/trace packets:
▫ Windows Filtering Platform Drivers
▫ Event Traci...
WinPCap Mockup
◦ Get-WinPCapCapture
▫ Utilizes Packet.NET and SharpPCap
assemblies to accomplish capture
Credit to those a...
Defense & Conclusion
IS THE WORLD ENDING?!??!
Mitigation
◦ There is not a single trick to prevent post-
exploitation actions
▫ “Users gonna use” - @enigma0x3
▫ PowerShe...
“
“Every contact leaves a trace”
◦ Locard's Exchange Principle
So go find the trace...
What about threat hunting?
Conclusion
◦ Realistic threat replication must properly
model threats
▫ Realistic tactics (study intel)
▫ Observed techniq...
Malware References
◦ RocketKitten - MPK Shell
◦ Sha1:
Eb6a21585899e702fc23b290d449af846
123845f
◦ https://blog.checkpoint....
Malware References
◦ T9000 Malware - Tyeu.data
◦ Sha1:
21e78381c75184e5531dfc946cbc0c257
e33325b
◦ http://researchcenter.p...
Malware References
◦ Naikon APT (AKA APT30)
FLASHFLOOD Malware
◦ Sha1:
cfa438449715b61bffa20130df8af778ef0
11e15
◦ Two goo...
Malware References
◦ Duqu 2.0 Malware
◦ IOCs:
▫ https://securelist.com/files/2015/06/7c6ce6b6-
fee1-4b7b-b5b5-adaff0d8022f...
Upcoming SlideShare
Loading in …5
×

Adversarial Post Ex - Lessons from the Pros

648 views

Published on

BSidesDC 2016

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Adversarial Post Ex - Lessons from the Pros

  1. 1. Adversarial Post-Ex Lessons From The Pros Justin Warner, Chris Ross Veris Group’s Adaptive Threat Division
  2. 2. Overview ◦ Introductions ◦ Adversary Emulation ◦ Lessons From “Bad Guys” ◦ Post-Ex Features ▫ Analysis of Bad Guy Use ▫ Lessons Learned ▫ Proof Of Concept ◦ Defending Against Post-Ex ◦ Conclusion
  3. 3. $whoami ◦ Justin Warner ▫ Manager - Offensive Services, ATD ▫ Former USAF Guy ▫ Interest: red team, reverse engineering, PowerShell, and studying tradecraft ◦ Chris Ross ▫ Penetration Tester/Red Teamer - ATD ▫ Python EmPyre Developer ▫ Interest: Replicate adversarial tradecraft in PowerShell and Python
  4. 4. Inspiration For This Talk ◦ Richard Wartell (@Wartotell) - Malware Is Hard, Let’s Go Shopping! ◦ Offensive toolsets ▫ Matt Graeber (@mattifestation) - PowerSploit Project ▫ Josh Pitts (@midnite_runr) - BDF Proxy ▫ Jamieson O'Reilly - Mimikittenz ◦ Lots of red team engagements
  5. 5. First Things First Let’s not rush this
  6. 6. Adversaries ◦ Adversary - One’s opponent in a conflict ◦ Threat - The potential for the occurrence of a harmful event ▫ The source and means of harm ◦ This is the entity on the other side of the playing field ▫ A wide range of entities and abilities ▫ A lot can be learned by studying them
  7. 7. APT Like These Guys
  8. 8. … Or More Like These Guys
  9. 9. Adversary Emulation ◦ A type of red teaming that focuses on the emulation of a specific adversary ▫ Utilize intel to model the adversary ▫ Highly realistic tools ▫ Attempt to behave as they have before ▫ Many strengths ◦ Some weaknesses to this approach ▫ Risk of handcuffing the red team ▫ Easy to study tools, hard to emulate tactics/techniques (lack of intel)
  10. 10. Diamond Model The Diamond Model of Intrusion Analysis - Chris Betz, Sergio Caltagirone, Andrew Pendergast Axiom 1: “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result”.
  11. 11. Post-Exploitation ◦ Post-Exploitation - The actions taken by an adversary after exploitation ◦ Some example actions: ▫ Recon ▫ Privilege Escalation ▫ Credential Abuse ▫ Lateral Spread ▫ Additional Exploitation ▫ Sensitive Data Access ▫ Exfiltration
  12. 12. Malware Repurposing ◦ The process of analyzing malware with the intent of reusing techniques, code, or actual samples ◦ Relax… somebody else has done the work so you don’t have to
  13. 13. School Is In Session Bad Guys
  14. 14. Learning From “Bad Guys” ◦ Benefits: ▫ Highly realistic (based on real events) ▫ Continuous tool ideas - “Hackers gonna Hack” ▫ They have solved the problem for you ◦ Downsides: ▫ Can be a significant effort to emulate ▫ Not always easy to translate techniques into usable assessment methods ▫ Risk of focusing too much on known methods ▫ Limit creativity
  15. 15. Process For Emulation
  16. 16. See Cool Stuff ◦ Where can we see cool stuff? ▫ APT Reports ▫ VirusTotal API ▫ Private malware sources ▫ Network defenders (for internal teams) ▫ VirusShare ◦ What are we trying to get our hands on? ▫ Raw samples ▫ IOCs and other obvious defensive sigs ▫ Technical discussion over TTPs (intel)
  17. 17. Analyze Cool Stuff ◦ Malware analysis and RE skills will be useful but are not required ▫ Plenty of technical threat reporting to help guide your development ◦ Learning RE is fun! “Practical Malware Analysis” “The IDA Pro Book” Endless hours reading assembly and controlling bad guy tools ◦ Consider the value of generic TTP discussion rather than tool specifics
  18. 18. We Will Not Do This To You
  19. 19. Research Alternatives ◦ Are there other APIs or pre-built libraries that will allow you to accomplish this technique? ▫ Will be useful to be familiar with WinAPI ▫ .NET assemblies will have many things implemented for you ◦ Is there a project that already implemented a certain technique? ▫ If it is not “representative” enough, might not consider it an alternative
  20. 20. Implement Cool Stuff ◦ Don’t work too hard… ▫ No need to learn C/C++ unless you are truly strict on replicating ▫ Live off the land! ◦ Why are we such PS fanboys? ▫ Native to Win7 and above ▫ Direct API access through reflection ▫ When used appropriately, memory only capabilities can be created ▫ Easy to prototype, dev, test, and deploy in a rapid manner
  21. 21. Tool Disclaimer ◦ These tools are POCs written to demonstrate concepts ▫ Not all of them will be actively supported ◦ Use at your own risk… learn the language and review the code! ▫ Even better, start similar projects or contribute back to these
  22. 22. Hot Cam & Hot Mic Oh the things you will see... 1
  23. 23. Examples In Wild ◦ Microphone ▫ LuxNetRAT - “Over the Counter” RAT https://brage.bibsys.no/xmlui/bitstream/handle/11 250/198379/KTGardasen.pdf MCISendString to issue commands to the backend interface ◦ Webcam ▫ RocketKitten - MPK Shell Simplistic custom backdoor VFW capCreateCaptureWindow API call to create a hidden capture window SendMessage to the new capture window to control the camera actions
  24. 24. How it Works - MCI Hot Mic Multimedia Command Interface - Device independent method of controlling multimedia devices MCI “open new Type waveaudio Alias SecretName” “record SecretName” “save SecretName” “close SecretName” MCISendString Sleep
  25. 25. How it Works - VFW Snapshot
  26. 26. Alternatives? ◦ Video ▫ Most of the tools we saw utilized DirectX and DirectShow to accomplish Video Capture There is a .NET assembly for this! ▫ What does MS say about VFW: ◦ Audio ▫ We analyzed a bunch of tools that used native WinMM methods instead of MCI
  27. 27. MCI Hot Mic ◦ Get-MicrophoneAudio in PowerSploit “dev” branch ▫ Utilizes pure reflection in PowerShell to call Win32 API in Winmm.dll ▫ Writes “wav” file to disk at specified location ▫ No compression https://github.com/PowerShellMafia/Power Sploit/blob/dev/Exfiltration/Get- MicrophoneAudio.ps1
  28. 28. RocketKitten VFW Mockup ◦ Get-VFWSnapshot ▫ Logically similar mockup of camera functionality in the MPK backdoor ▫ Utilizes PSReflect from Matt Graeber to expose Win32 APIs ▫ BUT… causes user interaction almost every time (unless camera is activated) https://github.com/sixdub/BSidesDC2016/bl ob/master/Get-VFWSnapshot.ps1
  29. 29. ...When We Listen To M$ ◦ Get-DXWebcamVideo.ps1 ▫ Utilizes DirectShow .NET and DirectX Capture Library All credit to the original authors: DirectX Capture - Brian Low - Public Domain DirectShow .NET - Unknown - LGPL ▫ Captures video and audio ▫ Supports compression and video tuning https://github.com/xorrior/RandomPS- Scripts/blob/master/Get- DXWebcamVideo.ps1
  30. 30. Toying With Skype When APIs turn against you 2
  31. 31. Examples In Wild ◦ T9000 Malware - “tyeu.dat” ▫ Used in APAC region for targeted attacks ◦ Malware is used to gather screenshots from active user and Skype for Desktop data ▫ Heavy anti-analysis features :( ▫ Thread 1 - desktop screenshots ▫ Thread 2 - targeted window screenshots ▫ Thread 3 - Skype monitoring via API Video snapshots Audio recordings Call log
  32. 32. How it Works 1/2 1. RegisterWindowMessage SkypeControlAPIAttach SkypeControlAPIDiscover 2. SendMessageTimeout Custom WindowProc Function 4. Messages filtered 3. Skype Alert
  33. 33. How It Works 2/2 RINGING INPROGRESS FINISHED CALL 34243 HotSexyBod12 3 “GET CALL 34243 PARTNER_HANDLE” “HotSexyBod123” “ALTER CALL 34243 SET_OUTPUT FILE=out.wav” “ALTER CALL 34243 SET_CAPTURE_MIC FILE =mic.wav” Status Call Logged
  34. 34. Skype Controller ◦ Start-SkypeRecorder ▫ Heavily adapted from T9000 malware and other third party software. ▫ Utilizes pure .NET reflection to create a window and send messages. ▫ User interaction will be required upon request to connect to the Skype Desktop API. https://github.com/sixdub/BSidesDC2016/blo b/master/SkypeRecorder.ps1
  35. 35. File System Fun Gift that keeps on giving 3
  36. 36. Example In Wild ◦ FLASHFLOOD Malware ▫ APT30 aka NaikonAPT ◦ Profiles host and packages up selected files ▫ Uses timestamps to measure change ▫ Uses deflate compression with slight mod ◦ Gathers: ▫ Windows Address Book (WAB) info ▫ All .lnk files from recent docs ▫ All files matching predefined patterns from: Connected drives (USBs) Desktop Temp internet files Temp
  37. 37. How it Works Desktopaccounts.doc Windows$NtUninstallKB885 884$FlashFilesaccounts.ldf Newer Than Recorded Time DesktopPasswords.csv
  38. 38. Alternate Techniques? ◦ Eventing Options: ▫ FindFirstChangeNotification - Win32 API to utilize asynchronous eventing to alert on file changes ▫ System.IO.FileSystemWatcher - .NET class that monitors file system changes https://gist.github.com/HarmJ0y/4034d935a3386b96f3a c ▫ WMI Eventing to detect change ◦ Numerous options available for storage/compression/encryption ▫ Will Schroeder’s (@harmj0y) Out- EncryptedStore function
  39. 39. FileSystemWatcher Exfil ◦ Utilizes Start-FileSystemMonitor ▫ Slight tweaks to make it dump output ◦ Combine with the following ▫ Out-EncryptedStore - BETTER OPTION Custom capability Uses RSA/AES as desired http://www.harmj0y.net/blog/redteaming/offen sive-encrypted-data-storage ▫ Write-FlashfloodFile Replicates algorithm in FLASHFLOOD https://github.com/sixdub/BSidesDC2016/blo b/master/Write-FlashfloodFile.ps1
  40. 40. Catching Packetz A deep look inside target networks 4
  41. 41. Examples In Wild ◦ NaikonAPT / APT30 ▫ “Lateral movements included copying over and remotely setting up winpcap across desktop systems… then remotely setting up AT jobs to run” ◦ RocketKitten ▫ MPK Shell Raw sockets to sniff TCP/UDP ◦ Duqu 2.0 ▫ Dropped WinPCAP driver in VFS and loaded to inject MDNS replies
  42. 42. How it Works - WinPCAP 1- Install WinPCAP “Silently” 2- Utilize WinPCAP For Capture ● Pcap_open ● Pcap_compile ● Pcap_setfilter ● Pcap_dumpopen ● pcap_dump sc.exe create npf ... %WINDIRsystem32 drivers npf.sys packet.dll wpcap.dll pthreadvc.dll secretdump.pcap
  43. 43. Research ◦ Numerous other methods can be used to capture/trace packets: ▫ Windows Filtering Platform Drivers ▫ Event Tracing for Windows (ETW) ◦ Inveigh uses raw sockets to spoof ▫ Kevin Robertson (@Kevin_Robertson) ◦ Previous work by Alex Rymdeko @killswitch_GUI ◦ Several .NET assemblies help us with WinPCAP in PowerShell
  44. 44. WinPCap Mockup ◦ Get-WinPCapCapture ▫ Utilizes Packet.NET and SharpPCap assemblies to accomplish capture Credit to those authors! ▫ Comes with Install and Remove function for “hot” loading of WinPCAP ▫ Allows you to add filters ▫ Stops capture when: Timeout is hit Size limit is reached https://github.com/sixdub/BSidesDC2016/blob/master /Get-WinPCapCapture.ps1
  45. 45. Defense & Conclusion IS THE WORLD ENDING?!??!
  46. 46. Mitigation ◦ There is not a single trick to prevent post- exploitation actions ▫ “Users gonna use” - @enigma0x3 ▫ PowerShell != Enemy ◦ Use industry “best practice” ▫ Heavy auditing of environments ◦ You don’t need next-gen if you don’t defend the current-gen ▫ http://www.leeholmes.com/blog/2014/12/08/maslo ws-hierarchy-of-security-controls/
  47. 47. “ “Every contact leaves a trace” ◦ Locard's Exchange Principle So go find the trace... What about threat hunting?
  48. 48. Conclusion ◦ Realistic threat replication must properly model threats ▫ Realistic tactics (study intel) ▫ Observed techniques ▫ Similar behavior or procedures ◦ There are plenty of creative Post-Ex techniques to use ▫ Don’t be so square… :) ◦ You are defending against a human ▫ OPSEC is rarely perfect, hunt for trace evidence
  49. 49. Malware References ◦ RocketKitten - MPK Shell ◦ Sha1: Eb6a21585899e702fc23b290d449af846 123845f ◦ https://blog.checkpoint.com/wp- content/uploads/2015/11/rocket-kitten- report.pdf
  50. 50. Malware References ◦ T9000 Malware - Tyeu.data ◦ Sha1: 21e78381c75184e5531dfc946cbc0c257 e33325b ◦ http://researchcenter.paloaltonetworks.c om/2016/02/t9000-advanced-modular- backdoor-uses-complex-anti-analysis- techniques/
  51. 51. Malware References ◦ Naikon APT (AKA APT30) FLASHFLOOD Malware ◦ Sha1: cfa438449715b61bffa20130df8af778ef0 11e15 ◦ Two good references: ▫ https://www2.fireeye.com/rs/fireye/images/rpt- apt30.pdf ▫ https://securelist.com/analysis/publications/69953/t he-naikon-apt/
  52. 52. Malware References ◦ Duqu 2.0 Malware ◦ IOCs: ▫ https://securelist.com/files/2015/06/7c6ce6b6- fee1-4b7b-b5b5-adaff0d8022f.ioc ◦ Original Post: ▫ https://securelist.com/files/2015/06/The_Myster y_of_Duqu_2_0_a_sophisticated_cyberespion age_actor_returns.pdf

×