The document discusses various techniques used in Windows malware, including memory residency, modular design, DLL injection, beaconing, internal communication channels like named pipes, attacking Active Directory by dumping hashes and using golden tickets, and living off the land tools. It provides examples of code and demonstrations for many of the techniques. The goal is to understand malware development for defensive purposes like designing better defenses and gaining insight into future threats.

1. Windows Malware
Techniques
Lee Christensen
@tifkin_

2. C:> whoami

3. PS C:> ls env:

4. Where are we going?
• Windows user-land malware development and design
• Techniques for Windows environments
• Detection techniques
• I probably will forget to mention some of these….
• Not focusing on
• Kernel malware/rootkits, anti-forensics, AV-evasion

5. Why discuss malware
development and design?

6. Malware Dev: Defensive Perspective
• Understanding the code helps you design your defenses
• Malware development has its own pyramid of pain

8. Defensive Perspective
• Understanding the code helps you design your defense
• Malware development has its own pyramid of pain
• Gives insight into the future

9. Malware Dev: Offensive Perspective
• Understanding of tools
• Gives you control - easy to adapt
• Offensive in Depth
• Writing malware is fun!

11. A remote administration tool (RAT) is a piece of
software that allows a remote "operator" to control a
system as if he has physical access to that system.

12. A Good RAT
• <REMOVED>

13. Memory Residency
and
Modular Design

14. Approaches to Modularity
• <REMOVED>

15. DLL injection
• <REMOVED>

16. LoadLibrary
• <REMOVED>

17. LoadLibrary demo

18. Reflective DLL injection
• <REMOVED>

19. Reflective DLL demo

20. Modular Malware Demo

22. Beaconing Malware

23. Windows API HTTP Cheatsheet
• <REMOVED>

24. WinInet Example

25. DNS
• Why DNS?
• Not montitored as often
• Routed through a trusted host
• Great for low and slow
• Size considerations
• TXT records (255 bytes max)
• A records (4 bytes max)

26. Defensive Interjection!
• What can we do to detect poorly designed HTTP-based malware?
• How about DNS malware?
• Not all comms are beaconing

27. Internal Pivoting and Comms
• Goals
• Get remote execution
• Blend in
• Limit egress hosts

28. Execution

29. Pass the hash
• Pass the hash
• Toolkit
• Windows Credential Editor
• Metasploit
• SMBExec
• psexec

30. Oldies but Goodies:
Living Off The Land

31. At.exe
net use <ip>c$ /user:<username> <password>
at <ip> <time> c:users<user>appdatalocalmicrosoftbackdoor.exe

32. Schtasks.exe
schtasks /create /s <ip> /u <user> /p <password> /ru <runasuser> /tr
c:backdoor.exe /tn run /sc once /st <starttime>

33. Wmic.exe
wmic /node:<ip> /user:<user> /password:<password>
process call create c:backdoor.exe

34. Other ways…
• RDP
• VNC
• PowerShell Remoting

35. Internal Comm
Channels

36. Named Pipe
A named pipe is a named, one-way or duplex pipe for
communication between the pipe server and one or more pipe
clients. All instances of a named pipe share the same pipe name, but
each instance has its own buffers and handles.

37. Named Pipe
• <REMOVED>

38. Create a null SECURITY_DESCRIPTOR
<REMOVED>

39. Mail Slots
• <REMOVED>

40. Named Pipes Demo

41. Attacking Active Directory

42. Detecting/Preventing Local Password Theft
• Install KB2871997
• Removes all plaintext creds from lsass except WDigest
• http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
• Add admin accounts to "Protected Users" AD group
• Kerberos authentication only
• No account delegation (can't steal tokens)
• AES for pre-authentication process
• Restricted Admin mode for RDP
• Plaintext password never sent to server
• Network logons on (prevents token stealing)

43. Preventing Local Password Theft - cont
• LSASS Protected Process (Windows 8.1/2012 R2 and above)
• https://technet.microsoft.com/en-us/library/Dn408187.aspx
• Can be bypassed by via a driver
• Honey tokens
• Idea by Mark Baggett
• https://github.com/SMAPPER/MimikatzHoneyToken
• Alert on usage

44. Pass the hash Protections
• KB2871997
• Adds GPO to disable remote network logons from local accounts
• Local Adminstrator Password Solution (LAPS)
• Restrict inter-machine communications

45. Dumping the Domain’s Hashes

46. Old School – Code Execution on DC
Dump them from LSASS (Traditional hashdump)
lsadump::lsa /inject
lsadump::lsa /patch /name:krbtgt
Meterpreter
post/windows/gather/credentials/domain_hashdump
• Parses the ESE Database using the built-in JetAPI
Ntds.dit
Invoke-NinjaCopy
PowerForensics (@jaredatkinson)
Shadow copies
Ntdsutil

47. Detection
• Acesss to ntds.dit == Domain wide access
• Who has admin rights on DC's?
• Restrict logon rights of admin accounts (they don't need to be able to logon everywhere)
• Who has admin rights on admin PC’s?
• Who has access to backups?
• Who has access to virtualization infrastructure?
• Shadow Copy events
• Sysmon - Injections into lsass.exe, powershell.exe, ntdsutil.exe
• Network traffic - ntds.dit is not a small file…

48. DCSync – New Hotness for
grabbing domain hashes
Demo

49. DCSync Detection
• Follow Sean Metcalf (@PyroTek3)
• Unofficial documenter of Mimikatz functionality
• At the moment, enable Auditing of Directory Service Access
• https://support.microsoft.com/en-us/kb/232714
• Demo

51. Golden Tickets

52. Golden Tickets
• Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)
• Account Domain field is blank (should be DOMAIN)
• Account Domain field is FQDN (should be DOMAIN)

53. Pay attention to what your tools are doing!!!

54. Golden Tickets
• Event IDs: 4624 (logon), 4672 (admin logon), 4634 (logoff)
• Account Domain field is blank (should be DOMAIN)
• Account Domain field is FQDN (should be DOMAIN)
• Account Domain field is "eo.oe.kiwi :)"