Cracking the Perimeter with Sharpshooter Dominic Chell June 2019 # Whoami

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami

•Dominic Chell: •Offensive Security @ MDSec •Responsible for *BEST, STAR and TIBER services •Twitter : @domchell •Projects: •SharpShooter •LyncSniper •SharpPack •PowerDNS •Chameleon OUTLINE

•Background •“Free Styling” with SharpShooter •SharpShooter Overview •Exploring AMSI •Reconnaissance •Macro Support •Delivery •Tradecraft •Sandbox Evasion •Detection / Prevention •Staging BACKGROUND

•Establishing initial access can often be complex •Increased focus from defenders on PowerShell attacks •Easy to signature both statically and with process spawn chains •AMSI provides engines direct access to memory •Rise of sandboxing tech, “Next Gen Anti-Virus”, EDR and EDP •Increased difﬁculties introducing payloads to environments •Red teaming is getting harder! OVERVIEW: SharpShooter

•Internally developed tool; SharpShooter

•Successful on a number of adversary simulations

•Some success in bypassing traditional and “Next Gen” security controls OVERVIEW: SharpShooter OVERVIEW: SharpShooter

•Staged and stageless payload creation framework for Windows based Scripting ﬁle formats: •HTML Applications •JavaScript •VBScript •Windows Script Files •VBA and Excel4 Macro Support •Arbitrary execution of CSharp source •Anti-Sandboxing and HTML Smuggling OVERVIEW: SharpShooter

•Script payloads execute DotNet using DotNetToJScript •Staged payloads: •Arbitrary CSharp source code is retrieved via DNS or web •CSharp source code is compiled and executed using reﬂection RECONNAISSANCE

•Targeted reconnaissance provides better chance of success

•Payload should be targeted for correct version of DotNet framework

•If executing in-process shellcode, it should correspond to the target’s architecture

•Alternatively, an x86 process can be spawned and injected in to RECONNAISSANCE

•Reconnaissance e-mail with image and system proﬁling links

•Embed in e-mail:

•Monitor web logs for results:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.6366; ms-office; MSOffice 16) DELIVERY

•Delivery can leverage the “HTML smuggling” technique from @buffaloverflow •RC4 encrypted file decrypted in the browser using JavaScript’s WebCrypto APIs •navigator.mssaveBlob forces the browser to save the decrypted blob locally •Proxy sees text/html or attachment rather than the content type of the payload (e.g. text/vbscript) •SharpShooter provides two pre-defined template examples SANDBOX EVASION

•Attempts to avoid automated analysis, inspired by CheckPlease: •Domain keying •Domain member •Sandbox artefacts •Bad MACs •Debugging SANDBOX EVASION

•Obtaining Active Directory name example: SANDBOX EVASION

•Obtaining Active Directory name example: DEMO: PALO ALTO TRAPS DETECTION STATUS

•Shortly after release signatures began to emerge

•Defender AMSI signature detects all DotNetToJScript

•Proclaimed dead by @subTee DETECTION STATUS DETECTION STATUS SharpShooter RESURRECTION ANTIMALWARE SCAN INTERFACE

•Microsoft introduced AMSI in Windows 10

•Standard interface to provide ﬁle, memory and stream scanning for any application

•Analysis at the scripting engine therefore access to the plain, deobfuscated code

•Supported in PowerShell, Windows Script Host, JavaScript and VBScript and Ofﬁce VBA macros ANTIMALWARE SCAN INTERFACE ANTIMALWARE SCAN INTERFACE ANTIMALWARE SCAN INTERFACE

•Mid-April 2018 @subTee released “SquiblyTwo” attack

•Script execution through Stylesheets using wmic.exe

•Defender AMSI did not trigger COM STAGING

•Updates to SharpShooter to include “COM Staging” and XSL / SCT generation •Several known COM methods allow command execution: • Outlook.CreateObject, • WScript.Run, • Shellbrowserwindow.Document.Application.Run, • WMI StartWin32Process •Leverage COM to execute wmic.exe or regsvr32.exe on the command line to perform “Squiblydoo” and “SquiblyTwo” attacks COM STAGING

COM Interface wmic.exe / Remotely Hosted HTA, JS, VBS (Outlook, WScript, regsvr32.exe XSL or SCT WMI etc) FREE STYLING WITH SharpShooter FREE STYLING WITH SharpShooter

•Research in to COM objects supporting XSL processing identiﬁed Microsoft.XMLDOM interface

•Inline and remotely hosted transformation of XML against a given stylesheet, providing following beneﬁts: •No command line execution, •Regsvr32.exe has known IOCs e.g. User-Agent, •XSL retrieval via HTTP/HTTPS •AMSI not supported in scriptlets; added early 2019 •Later used by @bohops to bypass WDAC in CVE-2018-8492 FREE STYLING WITH SharpShooter DEMO: WINDOWS DEFENDER XSL AMSI BYPASSES

•@Tal_Liberman discovered an AMSI bypass using the “AmsiEnable” registry key (HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable)

•Requires the user to “open” the payload twice: •First pass checks the registry to determine if the key is set and if not set it •Second pass opens the payload from the user’s download folder AMSI BYPASSES AMSI BYPASSES

•@tiraniddo discovered a DLL hijacking vulnerability in AMSI

• The technique prevents LoadLibrary from loading the AMSI.dll by convincing it that it’s already loaded

•The scripting engine is unable to ﬁnd the AMSI DLL exports and fails safe

•Copy wscript.exe to known location with name amsi.dll and run the script ﬁle AMSI BYPASSES

•@Tal_Liberman discovered another bypass in AMSI by patching the amsi.dll’s exported functions

•AmsiScanBuffer handles the buffer that is being scanned

•Function patched in memory to return AMSI_RESULT_CLEAN

• mov eax, 0x80070057; retn DEMO: DEFENDER AMSI BYPASS MACRO SUPPORT

•In Feb 2019, SharpShooter added additional support for VBA and Excel 4.0 macros •VBA support introduced using XMLDOM and XSL technique •@StanHacked discovered a legacy feature of Ofﬁce to execute macros using Excel 4.0 •Excel 4.0 does not support AMSI and not recognised by many EDR/EDP solutions •SharpShooter generates an SLK ﬁle to directly execute shellcode in Excel DEMO: MACRO EXECUTION TRADECRAFT

•Default SharpShooter templates do not employ OpSec tradecraft, stageless template: •Allocates memory EXECUTE_READWRITE for shellcode execution •Executes shellcode “in process”, e.g. mshta.exe performing C2 •Spawns from the default parent, e.g. wscript.exe launched from chrome.exe •Indicators discussed in detail by defenders: •https://countercept.com/blog/analyzing-sharpshooter-part-1/ •https://countercept.com/blog/analyzing-sharpshooter-part-2/ TRADECRAFT

•Reducing memory indicators is a trivial step:

•Firstly allocate memory using PAGE_READWRITE

•Reset the page permissions to PAGE_EXECUTE_READ using VirtualProtect TRADECRAFT

•Reducing process indicators can be achieved using injection: •Spawn innocuous process e.g. iexplore.exe •Inject shellcode using chosen technique, e.g. ALPC, SetThreadContext, CreateRemoteThread etc. TRADECRAFT

•Parent PID spooﬁng can be performed using UpdateProcThreadAttribute •CreateProcess using STARTUPINFOEX struct DEMO: TRADECRAFT DETECTION

•Staged mode CSharp compilation using CodeDom with the CompilerParameters.GenerateInMemory = true; parameter •Command line logging: •csc.exe invocation •nslookup.exe for DNS delivery •Modiﬁcations to AmsiEnable registry key for AMSI bypasses PREVENTION

•Endpoint prevention strategies: •Device Guard code integrity policy •Application whitelisting, block mshta.exe etc. •Modify default handlers for scripting extensions •Network: •Outbound DNS ﬁltering •Monitor for HTML Smuggling, e.g. WebCrypto APIs CONCLUSIONS

•Windows Scripting ﬁle formats provide a number of interesting opportunities for initial access

•Leveraging COM these can be harnessed for code execution using scriptlets and execution cradles

•Creating weaponised tools raises ethical dilemmas, particularly when observed in the wild

•Red team research/tooling can however provide a rare opportunity to raise the bar in detection at scale REFERENCES

•SharpShooter available from https://github.com/ mdsecactivebreach/SharpShooter •Thanks to the following people: •@tiraniddo: DotNetToJScript •@Arno0x0x: EmbedInHTML •@buffaloverﬂow: Demiguise •@arvanaghi and @ChrisTruncer: CheckPlease •@subTee: Squiblydoo/Two •@StanHacked: Excel4.0 research QUESTIONS