【HITCON FreeTalk 2022 - The Art of Blue Team】 ➠ Defeat 0day is not as Difficult as You Think ➠ Speaker: Jacky Hsieh

1. Jacky Hsieh
Defeat 0day Is Not
as Difficult as You
Think

2. Outline
• Whoami
• Case Study
• Exchange 0day
• Conclusion

3. Whoami
• CoreCloudJacky.Hsieh
• Senior Security Researcher
• Binary Security
• Reversing
• Incident Response & Forensic

4. Case Study

5. Initial Access ‒ Spear Phishing
• Faked ShadowSocks

6. Initial Access ‒ Spear Phishing
• Faked ShadowSocks

7. Initial Access ‒ Spear Phishing
• Faked ShadowSocks

8. Initial Access ‒ Spear Phishing
• Faked Zoom

13. • Shadowsocks.exe
> run.exe
> call cmd.exe
> network connection
> …
Malware Analysis

14. Malware Analysis
• Reverse Engineering, got C&C server.

15. Malware Analysis
• Execution Flow

16. Malware Analysis
• All of these malware were signed.

17. Malware Analysis
• All of these malware were signed.

18. Malware Analysis
• All of these malware were signed.

19. Malware Analysis
• They are all "benign" files on VT.

20. Malware Analysis
• They are all "benign" files on VT.

21. Malware Analysis
• They are all "benign" files on VT.

22. Post Exploitation
• DLL Injection – to hide the malicious behaviors

23. Post Exploitation
• Discovery

24. Post Exploitation
• Discovery

25. Post Exploitation
• Discovery – Treasure!

26. Post Exploitation
• Discovery – Treasure!

27. Post Exploitation
• Lateral movement

28. Post Exploitation
• Persistence

29. Post Exploitation
• Data Exfiltration

30. Post Exploitation
• Data Exfiltration

31. Post Exploitation
• Data Exfiltration

32. How to Detect ?
• Initial access
• Phishing
• Path, cmdline, signature, …
• Exploit
• General exploit cmdline, parent process

33. How to Detect ?
• Initial access
• Phishing
• Path, cmdline, signature, …
• Exploit
• General exploit cmdline, parent process
• Execution
• General exploit cmdline
• Parent process name
• File name

34. How to Detect ?
• Persistence
• Service create, autorun registry, startup folder, …
• Account create
• DLL side-loading
• Privilege Escalation
• Treasure
• General exploit cmdline

35. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name

36. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name
• Lateral movement
• Microsoft protocol: RDP, SMB, RPC, …
• General exploit cmdline

37. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name
• Lateral movement
• Microsoft protocol: RDP, SMB, RPC, …
• General exploit cmdline
• Exfiltration
• Rarely seen cmdline

38. Exchange 0day -
Detected on Early August

39. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline

40. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline

41. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline

42. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline

43. Suspicious Behaviors
• Obviously, it was a common web exploitation.
• The server is Exchange server, maybe it was a dated Exchange suffered from
Exchange CVEs.

44. Suspicious Behaviors
• Rarely seen command execution method.
• Let's reverse engineering for the detail.

45. Malware Analysis
• Ummm…it's really a researcher-friendly malware.

46. Nothing else is interesting.
Just recommend our user to update their Exchange and resolve this incident (?)
However, there is a little bit different from the feature of known CVEs…

47. Access Log Review ‒ ProxyShell
• Recall the ProxyShell
Ref: Actually, your blue team is red. Stealing your red move from the blue side, Hitcon, 2022.

48. Access Log Review ‒ ProxyShell
• Logs should look like…

49. Access Log Review ‒ Proxy ... Not Shell?
• .*autodiscover.json.*Powershell.*

50. Access Log Review ‒ Proxy ... Not Shell?
• Originally, this feature was left intentionally in order to detect the script
kiddies, but...

51. Incident Summary
• ProxyShell ?
• Unknown 1day ?
• 0day ?
• Post-Auth RCE ?

52. Mitigation
• Unknown 1day
• Update to the latest version
• Post-Auth RCE attack?
• Change user password
POST /autodiscover/autodiscover.json @fucky0u.edu/PowerShell<other payload> 443
CoreCloudTestAccount 192.168.xx.xx <User Agent> - 200 0 0 6077

53. ProxyNotShell Mitigation
• Recommended by MS
• .*autodiscover.json.*@.*Powershell.*
.

54. ProxyNotShell Mitigation
• Recommended by MS
• .*autodiscover.json.*@.*Powershell.*
.

55. ProxyNotShell Mitigation
• Recommended Regex: (?=.*autodiscover)(?=.*powershell)
• Change the input {REQUEST_URI} to {UrlDecode:{REQUEST_URI}}
Ref: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

56. Conclusion
• As long as continuously monitoring and tuning the detection rules, suspicious
behaviors can be detected in large amount of logs.
• Be curious about every abnormal events/incidents/logs so that we can make
decision more precisely.
• Despite the fact that we cannot make sure it was a unknown 1day or 0day attack
at that time, we successfully detected and mitigated it.
• Now we knew that it was a 0day attack.
• That is…
We defeated the 0day Attack!

57. hr@corecloud.com.tw
We Are Hiring

58. Thank You!