Evading Defenses with Acidrain, Powershell, Github and ... · Copyright 2015 InGuardians, Inc. 29...

1

Evading Defenses with Acidrain, Powershell, Github and Pastebin

Mike Poor and Jay Beale Adam Crompton, Tyler Robinson and John Sawyer

InGuardians

(bonus booth talk on Word macro-based exploitation and remote access tool)

Copyright 2015 InGuardians, Inc.

2 Copyright 2015 InGuardians, Inc.

Evasion Tactics •  Self-decrypting Python Droppers •  Powershell In-Memory Command and Control •  (Booth) Macro Execution and the Throwback

Remote Access Tool

•  Anti-virus vendor chosen: –  Symantec Endpoint Protection 12.1.16


AcidRain •  We've never been caught by A/V with AcidRain •  Encrypts Python in AES-256

–  We use msfvenom's Python version of the Meterpreter •  Pyinstaller to create an EXE •  Methods of obtaining key

–  Keep the key in the payload –  Socket connect (nc –l) –  Web request (python SimpleHTTPServer)

•  This works for any Python code.


AcidRain Modules •  System profiler

–  Mac, Linux, Windows –  Automated post-exploitation profiling commands –  Phones home, sends profiling output, cuts connection –  Reconnects after a pre-defined time

•  SOCKS4 proxy •  Bind shell •  Reverse shell


Uses Pyinstaller •  Pyinstaller bundles python applications into a

single exe file. •  Run on Linux using Wine:

wine c:\\Python27\\python.exe /usr/share/pyinstaller/pyinstaller.py /home/user/hello.py --onefile


Demo

AcidRain

(Video will be linked to from InGuardians website within one week)


Puppet Master C2 Framework •  Powershell Command and Control (C2) via third

party widely-used services •  Current payloads:

–  Invoke-Github.ps1 –  Invoke-Pastebin.ps1

•  If these are blocked, we can create more, making the defenders play Whack-a-Mole!

•  Submitting these to @harmjoy for Empire inclusion


Powershell Commands •  The attacker types powershell commands and

receives their output. •  This is incredibly powerful, as we can use all

the Powershell frameworks, our own commandlets or just start running commands.


Github and Pastebin •  On Github, we create a "gist," a non-project

code publish –  All C2 data is comments on the gist.

•  On Pastebin, we create a paste. –  Expiration date is set to a short time, say, one

hour.


Encryption •  Prereq: Powershell v2.0 and .NET version 4.0 •  Encryption Used: AES 256-bit using ConvertTo-

SecureString and ConvertFrom-SecureString commandlets

•  All commands and results are encrypted before posting to the third party page, to avoid divulging any data.


1. How Does the C2 Func2on

Victim

Attacker Third Party Service

Pastebin Github

Beacon checks in for a new command with dynamic jitter rate



Victim


Pastebin Github

Attacker sends a command in a request to third party service's API



Victim


Pastebin Github

Attacker polls the third party service until a response is posted.



Victim


Pastebin Github

Beacon gets the command that the attacker stored in the post and runs on the host.



Victim


Pastebin Github

Beacon sends command output back to the third party service.



Victim


Pastebin Github

Attacker gets response from server.


DEMO

Invoke-Pastebin.ps1 Invoke-Github.ps1

(Video will be linked to from InGuardians website within one week)


Booth: Macro-Based Injection •  Threat actors don’t always use sophisticated

attacks. •  Why use a $10k 0-Day or reverse engineer a

protocol when a simple email will work. •  Microsoft Office Macro-Based Payload Injection

–  Great way to get an initial foothold or gain more access in the environment.

–  Utilize memory-based injections


Executables Embedded in Macros

•  We use Office Developer Tools to create a macro containing an encrypted and base64-encoded payload.

•  We place the macro in a document, formatted as a regular .doc or .xls file. –  It does not have to be the .docm format.

•  The payload executes silently in the background. •  This payload could be an .EXE or a .DLL file.


Additional A/V Evasion •  The macro can drop the payload to disk as a

compressed archive to help avoid detection. •  We can extract a DLL as a .log file in a hidden

directory and run it using rundll32.exe. •  In this case, we're going to place the Throwback

open source RAT onto the system via the macro.


Payload and Persistence •  In this demo, the Throwback backdoor:

–  drops a .exe into a hidden directory as a hidden file –  runs this .exe, which deletes its on-disk file –  which in turn copies a second .exe to a different

hidden directory as a different hidden file. –  and creates a service and checks proxy settings to gain

Internet access to call home all using native Windows API calls.


Throwback RAT •  We use the Throwback RAT as a long term

foothold in the organization. •  The RAT beacons home over HTTP(s) & DNS

using winhttp/wininet for proxy awareness. •  The backdoor is then used to pivot to other

boxes, where we deploy RAT’s on systems other than beaconing hosts, to retain access and avoid detection.


DLL Execution: Cobalt Strike Beacon

•  Here, we place the Cobalt Strike Reverse HTTPS Beacon on the victim as perflib0.log and execute with rundll32.exe.

•  Run Mimikatz and hashdump for cleartext passwords and local hashes.

•  We could also use the beacon to spawn meterpreter in memory, use powershell, pivot, scan and attack.


Injecting Shellcode into a Process

•  We also inject a meterpreter payload into an already-running process by generating raw shell code (perflib0.html) and inject it into a process.

•  This was not detected by AV.


Steps in the Video 1 of 2

1.  Create a Word macro and e-mail to a SE victim. 2.  Victim opens the Word doc and approves

macro. 3.  Throwback binary starts, connects to PHP app. 4.  Get a process list to find process to inject in. 5.  Create Meterpreter shellcode (perflib0.html) 6.  Download Cobalt Strike (perflib0.log)


Steps in the Video 2 of 2

7.  Instruct victim to rundll32 perflib0.log 8.  Instruct victim to download shellcode and inject

into PID 1560. 9.  Interact over Cobalt Strike. 10. Interact over Meterpeter session.


Demo (Video will be linked to from InGuardians website within one week)


Pivot, Pivot, Pivot •  With an initial foothold, the goal is to always

pivot and avoid detection. •  With good OPSec, you can maintain long-term

access as well as pivot and attack.


Thank You Talk and Demo at our table at 3:30pm. We're always seeking to up our game, create cool tools and techniques, and share with our community. InGuardians is proud to sponsor the SANS Pentest HackFest.

Evading Defenses with Acidrain, Powershell, Github and ... · Copyright 2015 InGuardians, Inc. 29...

Documents

Transcript of Evading Defenses with Acidrain, Powershell, Github and ... · Copyright 2015 InGuardians, Inc. 29...